Authentication of a Consumable

ABSTRACT

A method authenticating a consumable is disclosed. The consumable includes a first integrated circuit operative to receive data and return the data encrypted. The method receives a random number from a trusted second integrated circuit. The random number is communicated to the first integrated circuit, and in response a first message containing the random number encrypted by the first integrated circuit is received from the first integrated circuit. Also, a second message containing the random number encrypted by the trusted integrated circuit is received from the trusted second integrated circuit. By comparing the first and second messages it is determined that the consumable is authentic when the first and second messages are the same.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a Continuation Application of U.S. application Ser.No. 11/758,642 filed on Jun. 5, 2007, which is a ContinuationApplication of U.S. application Ser. No. 09/517,541 filed on Mar. 2,2000, now Issued U.S. Pat. No. 7,249,109, which is a DivisionalApplication of U.S. application Ser. No. 09/113,223 filed on Jul. 10,1998, now Issued U.S. Pat. No. 6,442,525, all of which are hereinincorporated by reference.

TECHNICAL FIELD

This invention concerns a method of shielding manipulations of secretdata, in an authentication chip, from observation. In another aspect itconcerns an authentication chip for performing the method.

BACKGROUND OF THE INVENTION

The process of authentication has particular application in any system(chip or software) that manipulates secure data. This includes Internetcommerce, peer to peer communication, Smart Cards, Authentication chips,electronic keys, and cryptographic equipment. Whilst the description ofthe preferred embodiments of the present invention assumes aSystem/consumable relationship, it is a trivial matter to extend theprotocol for other uses. An example is Internet commerce, where eachconsumer is effectively the consumable, and the Shop is the System.Another usage is Smart Cards, where each smart card can have a uniquekey, known to the System.

Existing solutions to the problem of authenticating consumables havetypically relied on physical patents on packaging. However this does notstop inferior refill operations or clone manufacture in countries withweak industrial property protection. Consequently a much higher level ofprotection is required.

SUMMARY OF THE INVENTION

According to an aspect of the present invention there is provide amethod authenticating a consumable, the consumable including a firstintegrated circuit operative to receive data and return the dataencrypted, the method comprising the steps of:

receiving a random number from a trusted second integrated circuit;

communicating the random number to the first integrated circuit;

receiving from the first integrated circuit a first message containingthe random number encrypted by the first integrated circuit;

receiving from the trusted second integrated circuit a second messagecontaining the random number encrypted by the trusted integratedcircuit;

comparing the first and second messages, the consumable being authenticwhen the first and second messages are the same.

Other aspects are also disclosed.

BRIEF DESCRIPTION OF THE DRAWINGS

Notwithstanding any other forms which may fall within the scope of thepresent invention, preferred forms of the invention will now bedescribed, by way of example only, with reference to the accompanyingdrawings in which:

FIG. 1 illustrates a single authentication chip data protocol;

FIG. 2 illustrates a dual authentication chip data protocol;

FIG. 3 illustrates a first presence only protocol;

FIG. 4 illustrates a second presence only protocol;

FIG. 5 illustrates a third data protocol;

FIG. 6 illustrates a fourth data protocol;

FIG. 7 is a schematic block diagram of a maximal period LFSR;

FIG. 8 is a schematic block diagram of a clock limiting filter;

FIG. 9 is a schematic block diagram of the tamper detection lines;

FIG. 10 illustrates an oversized nMOS transistor used as testtransistors in the tamper detection line of FIG. 9;

FIG. 11 is a circuit diagram of part of the tamper detection line ofFIG. 9 including XOR gates between the two paths;

FIG. 12 illustrates how the Tamper Lines cover the noise generatorcircuitry;

FIG. 13 is a circuit diagram of the normal FET implementation of a CMOSinverter;

FIG. 14 is voltage/current diagram for the transistors of the CMOSinverter of FIG. 13;

FIG. 15 is a circuit diagram of the FET implementation of a non-flashingCMOS inverter;

FIG. 16 is impedance diagram for the transistors of the CMOS inverter ofFIG. 15; and

FIG. 17 is a block diagram illustrating relative positioning of regularand non-flashing CMOS components.

BEST MODE OF THE INVENTION Authentication Chip

The authentication chip of the preferred embodiment is responsible forensuring that only correctly manufactured print rolls are utilized inthe camera system. The authentication chip utilizes technologies thatare generally valuable when utilized with any consumables and are notrestricted to print roll system. Manufacturers of other systems thatrequire consumables (such as a laser printer that requires tonercartridges) have struggled with the problem of authenticatingconsumables, to varying levels of success. Most have resorted tospecialized packaging. However this does not stop home refill operationsor clone manufacture. The prevention of copying is important to preventpoorly manufactured substitute consumables from damaging the basesystem. For example, poorly filtered ink may clog print nozzles in anink jet printer, causing the consumer to blame the system manufacturerand not admit the use of non-authorized consumables.

To solve the authentication problem, the Authentication chip contains anauthentication code and circuit specially designed to prevent copying.The chip is manufactured using the standard Flash memory manufacturingprocess, and is low cost enough to be included in consumables such asink and toner cartridges. Once programmed, the Authentication chips asdescribed here are compliant with the NSA export guidelines.Authentication is an extremely large and constantly growing field. Herewe are concerned with authenticating consumables only.

Symbolic Nomenclature

The following symbolic nomenclature is used throughout the discussion ofthis embodiment:

Symbolic Nomenclature Description F[X] Function F, taking a singleparameter X F[X, Y] Function F, taking two parameters, X and Y X|Y Xconcatenated with Y X

Y Bitwise X AND Y X

Y Bitwise X OR Y (inclusive-OR) X⊕Y Bitwise X XOR Y (exclusive-OR) ~XBitwise NOT X (complement) X ← Y X is assigned the value Y X ← {Y, Z}The domain of assignment inputs to X is Y and Z. X = Y X is equal to Y X≠ Y X is not equal to Y

X Decrement X by 1 (floor 0)

X Increment X by 1 (with wrapping based on register length) Erase XErase Flash memory register X SetBits[X, Y] Set the bits of the Flashmemory register X based on Y Z ← ShiftRight[X, Y] Shift register X rightone bit position, taking input bit from Y and placing the output bit inZ

Basic Terms

A message, denoted by M, is plaintext. The process of transforming Minto cyphertext C, where the substance of M is hidden, is calledencryption. The process of transforming C back into M is calleddecryption. Referring to the encryption function as E, and thedecryption function as D, we have the following identities:

E[M]=C

D[C]=M

Therefore the following identity is true:

D[E[M]]=M

Symmetric Cryptography

A symmetric encryption algorithm is one where:

-   -   the encryption function E relies on key K₁,    -   the decryption function D relies on key K₂,    -   K₂ can be derived from K₁, and    -   K₁ can be derived from K₂.        In most symmetric algorithms, K₁ usually equals K₂. However,        even if K₁ does not equal K₂, given that one key can be derived        from the other, a single key K can suffice for the mathematical        definition. Thus:

E_(K)[M]=C

D_(K)[C]=M

An enormous variety of symmetric algorithms exist, from the textbooks ofancient history through to sophisticated modern algorithms. Many ofthese are insecure, in that modern cryptanalysis techniques cansuccessfully attack the algorithm to the extent that K can be derived.The security of the particular symmetric algorithm is normally afunction of two things: the strength of the algorithm and the length ofthe key. The following algorithms include suitable aspects forutilization in the authentication chip.

-   -   DES    -   Blowfish    -   RC5    -   IDEA

DES

DES (Data Encryption Standard) is a US and international standard, wherethe same key is used to encrypt and decrypt. The key length is 56 bits.It has been implemented in hardware and software, although the originaldesign was for hardware only. The original algorithm used in DES isdescribed in U.S. Pat. No. 3,962,539. A variant of DES, calledtriple-DES is more secure, but requires 3 keys: K₁, K₂, and K₃. The keysare used in the following manner:

E_(K3)[D_(K2)[E_(K1)[M]]]=C

D_(K3)[E_(K2)[D_(K1)[C]]]=M

The main advantage of triple-DES is that existing DES implementationscan be used to give more security than single key DES. Specifically,triple-DES gives protection of equivalent key length of 112 bits.Triple-DES does not give the equivalent protection of a 168-bit key(3×56) as one might naively expect. Equipment that performs triple-DESdecoding and/or encoding cannot be exported from the United States.

Blowfish

Blowfish, is a symmetric block cipher first presented by Schneier in1994. It takes a variable length key, from 32 bits to 448 bits. Inaddition, it is much faster than DES. The Blowfish algorithm consists oftwo parts: a key-expansion part and a data-encryption part. Keyexpansion converts a key of at most 448 bits into several subkey arraystotaling 4168 bytes. Data encryption occurs via a 16-round Feistelnetwork. All operations are XORs and additions on 32-bit words, withfour index array lookups per round. It should be noted that decryptionis the same as encryption except that the subkey arrays are used in thereverse order. Complexity of implementation is therefore reducedcompared to other algorithms that do not have such symmetry.

RC5

Designed by Ron Rivest in 1995, RC5 has a variable block size, key size,and number of rounds. Typically, however, it uses a 64-bit block sizeand a 128-bit key. The RC5 algorithm consists of two parts: akey-expansion part and a data-encryption part. Key expansion converts akey into 2r+2 subkeys (where r=the number of rounds), each subkey beingw bits. For a 64-bit blocksize with 16 rounds (w=32, r=16), the subkeyarrays total 136 bytes. Data encryption uses addition mod 2^(w), XOR andbitwise rotation.

IDEA

Developed in 1990 by Lai and Massey, the first incarnation of the IDEAcipher was called PES. After differential cryptanalysis was discoveredby Biham and Shamir in 1991, the algorithm was strengthened, with theresult being published in 1992 as IDEA. IDEA uses 128 bit-keys tooperate on 64-bit plaintext blocks. The same algorithm is used forencryption and decryption. It is generally regarded to be the mostsecure block algorithm available today. It is described in U.S. Pat. No.5,214,703, issued in 1993.

Asymmetric Cryptography

As alternative an asymmetric algorithm could be used. An asymmetricencryption algorithm is one where:

-   -   the encryption function E relies on key K₁,    -   the decryption function D relies on key K₂,    -   K₂ cannot be derived from K₁ in a reasonable amount of time, and    -   K₁ cannot be derived from K₂ in a reasonable amount of time.

Thus:

E_(K1)[M]=C

D_(K2)[C]=M

These algorithms are also called public-key because one key K₁ can bemade public. Thus anyone can encrypt a message (using K₁), but only theperson with the corresponding decryption key (K₂) can decrypt and thusread the message. In most cases, the following identity also holds:

E_(K2)[M]=C

D_(K1)[C]=M

This identity is very important because it implies that anyone with thepublic key K₁ can see M and know that it came from the owner of K₂.No-one else could have generated C because to do so would implyknowledge of K₂. The property of not being able to derive K₁ from K₂ andvice versa in a reasonable time is of course clouded by the concept ofreasonable time. What has been demonstrated time after time, is that acalculation that was thought to require a long time has been madepossible by the introduction of faster computers, new algorithms etc.The security of asymmetric algorithms is based on the difficulty of oneof two problems: factoring large numbers (more specifically largenumbers that are the product of two large primes), and the difficulty ofcalculating discrete logarithms in a finite field. Factoring largenumbers is conjectured to be a hard problem given today's understandingof mathematics. The problem however, is that factoring is getting easiermuch faster than anticipated. Ron Rivest in 1977 said that factoring a125-digit number would take 40 quadrillion years. In 1994 a 129-digitnumber was factored. According to Schneier, you need a 1024-bit numberto get the level of security today that you got from a 512-bit number inthe 1980's. If the key is to last for some years then 1024 bits may noteven be enough. Rivest revised his key length estimates in 1990: hesuggests 1628 bits for high security lasting until 2005, and 1884 bitsfor high security lasting until 2015. By contrast, Schneier suggests2048 bits are required in order to protect against corporations andgovernments until 2015.

A number of public key cryptographic algorithms exist. Most areimpractical to implement, and many generate a very large C for a given Mor require enormous keys. Still others, while secure, are far too slowto be practical for several years. Because of this, many public-keysystems are hybrid—a public key mechanism is used to transmit asymmetric session key, and then the session key is used for the actualmessages. All of the algorithms have a problem in terms of keyselection. A random number is simply not secure enough. The two largeprimes p and q must be chosen carefully—there are certain weakcombinations that can be factored more easily (some of the weak keys canbe tested for). But nonetheless, key selection is not a simple matter ofrandomly selecting 1024 bits for example. Consequently the key selectionprocess must also be secure.

Of the practical algorithms in use under public scrutiny, the followingmay be suitable for utilization:

-   -   RSA    -   DSA    -   ElGamal

RSA

The RSA cryptosystem, named after Rivest, Shamir, and Adleman, is themost widely used public-key cryptosystem, and is a de facto standard inmuch of the world. The security of RSA is conjectured to depend on thedifficulty of factoring large numbers that are the product of two primes(p and q). There are a number of restrictions on the generation of p andq. They should both be large, with a similar number of bits, yet not beclose to one another (otherwise pq≈√pq). In addition, many authors havesuggested that p and q should be strong primes. The RSA algorithm patentwas issued in 1983 (U.S. Pat. No. 4,405,829).

DSA

DSA (Digital Signature Standard) is an algorithm designed as part of theDigital Signature Standard (DSS). As defined, it cannot be used forgeneralized encryption. In addition, compared to RSA, DSA is 10 to 40times slower for signature verification. DSA explicitly uses the SHA-1hashing algorithm (see definition in

One-way Functions below). DSA key generation relies on finding twoprimes p and q such that q divides p−1. According to Schneier, a1024-bit p value is required for long term DSA security. However the DSAstandard does not permit values of p larger than 1024 bits (p must alsobe a multiple of 64 bits). The US Government owns the DSA algorithm andhas at least one relevant patent (U.S. Pat. No. 5,231,688 granted in1993).

ElGamal

The ElGamal scheme is used for both encryption and digital signatures.The security is based on the difficulty of calculating discretelogarithms in a finite field. Key selection involves the selection of aprime p, and two random numbers g and x such that both g and x are lessthan p. Then calculate y=gx mod p. The public key is y, g, and p. Theprivate key is x.

Cryptographic Challenge-Response Protocols and Zero Knowledge Proofs

The general principle of a challenge-response protocol is to provideidentity authentication adapted to a camera system. The simplest form ofchallenge-response takes the form of a secret password. A asks B for thesecret password, and if B responds with the correct password, A declaresB authentic. There are three main problems with this kind of simplisticprotocol. Firstly, once B has given out the password, any observer Cwill know what the password is. Secondly, A must know the password inorder to verify it. Thirdly, if C impersonates A, then B will give thepassword to C (thinking C was A), thus compromising B. Using a copyrighttext (such as a haiku) is a weaker alternative as we are assuming thatanyone is able to copy the password (for example in a country whereintellectual property is not respected). The idea of cryptographicchallenge-response protocols is that one entity (the claimant) provesits identity to another (the verifier) by demonstrating knowledge of asecret known to be associated with that entity, without revealing thesecret itself to the verifier during the protocol. In the generalizedcase of cryptographic challenge-response protocols, with some schemesthe verifier knows the secret, while in others the secret is not evenknown by the verifier. Since the discussion of this embodimentspecifically concerns Authentication, the actual cryptographicchallenge-response protocols used for authentication are detailed in theappropriate sections. However the concept of Zero Knowledge Proofs willbe discussed here. The Zero Knowledge Proof protocol, first described byFeige, Fiat and Shamir is extensively used in Smart Cards for thepurpose of authentication. The protocol's effectiveness is based on theassumption that it is computationally infeasible to compute square rootsmodulo a large composite integer with unknown factorization. This isprovably equivalent to the assumption that factoring large integers isdifficult. It should be noted that there is no need for the claimant tohave significant computing power. Smart cards implement this kind ofauthentication using only a few modular multiplications. The ZeroKnowledge Proof protocol is described in U.S. Pat. No. 4,748,668.

One-way Functions

A one-way function F operates on an input X, and returns F[X] such thatX cannot be determined from F[X]. When there is no restriction on theformat of X, and F[X] contains fewer bits than X, then collisions mustexist. A collision is defined as two different X input values producingthe same F[X] value—i.e. X₁ and X₂ exist such that X₁≠X₂ yetF[X₁]=F[X₂]. When X contains more bits than F[X], the input must becompressed in some way to create the output. In many cases, X is brokeninto blocks of a particular size, and compressed over a number ofrounds, with the output of one round being the input to the next. Theoutput of the hash function is the last output once X has been consumed.A pseudo-collision of the compression function CF is defined as twodifferent initial values V₁ and V₂ and two inputs X₁ and X₂ (possiblyidentical) are given such that CF(V₁, X₁)=CF(V₂, X₂). Note that theexistence of a pseudo-collision does not mean that it is easy to computean X₂ for a given X₁.

We are only interested in one-way functions that are fast to compute. Inaddition, we are only interested in deterministic one-way functions thatare repeatable in different implementations. Consider an example F whereF[X] is the time between calls to F. For a given F[X] X cannot bedetermined because X is not even used by F. However the output from Fwill be different for different implementations. This kind of F istherefore not of interest.

In the scope of the discussion of the implementation of theauthentication chip of this embodiment, we are interested in thefollowing forms of one-way functions:

-   -   Encryption using an unknown key    -   Random number sequences    -   Hash Functions    -   Message Authentication Codes

Encryption Using an Unknown Key

When a message is encrypted using an unknown key K, the encryptionfunction E is effectively one-way. Without the key, it iscomputationally infeasible to obtain M from E_(K)[M] without K. Anencryption function is only one-way for as long as the key remainshidden. An encryption algorithm does not create collisions, since Ecreates E_(K)[M] such that it is possible to reconstruct M usingfunction D. Consequently F[X] contains at least as many bits as X (noinformation is lost) if the one-way function F is E. Symmetricencryption algorithms (see above) have the advantage over Asymmetricalgorithms for producing one-way functions based on encryption for thefollowing reasons:

-   -   The key for a given strength encryption algorithm is shorter for        a symmetric algorithm than an asymmetric algorithm    -   Symmetric algorithms are faster to compute and require less        software/silicon        The selection of a good key depends on the encryption algorithm        chosen. Certain keys are not strong for particular encryption        algorithms, so any key needs to be tested for strength. The more        tests that need to be performed for key selection, the less        likely the key will remain hidden.

Random Number Sequences

Consider a random number sequence R₀, R₁, . . . , R_(I), R_(i+1). Wedefine the one-way function F such that F[X] returns the X^(th) randomnumber in the random sequence. However we must ensure that F[X] isrepeatable for a given X on different implementations. The random numbersequence therefore cannot be truly random. Instead, it must bepseudo-random, with the generator making use of a specific seed.

There are a large number of issues concerned with defining good randomnumber generators. Knuth, describes what makes a generator “good”(including statistical tests), and the general problems associated withconstructing them. The majority of random number generators produce thei^(th) random number from the i−1^(th) state—the only way to determinethe i^(th) number is to iterate from the 0^(th) number to the i^(th). Ifi is large, it may not be practical to wait for i iterations. Howeverthere is a type of random number generator that does allow randomaccess. Blum, Blum and Shub define the ideal generator as follows: “ . .. we would like a pseudo-random sequence generator to quickly produce,from short seeds, long sequences (of bits) that appear in every way tobe generated by successive flips of a fair coin”. They defined the x²mod n generator, more commonly referred to as the BBS generator. Theyshowed that given certain assumptions upon which modern cryptographyrelies, a BBS generator passes extremely stringent statistical tests.

The BBS generator relies on selecting n which is a Blum integer (n=pqwhere p and q are large prime numbers, p≠q, p mod 4=3, and q mod 4=3).The initial state of the generator is given by x₀ where x₀=x² mod n, andx is a random integer relatively prime to n. The i^(th) pseudo-randombit is the least significant bit of x_(i) where x_(i)=x_(i−1) ² mod n.As an extra property, knowledge of p and q allows a direct calculationof the i^(th) number in the sequence as follows: x_(i)=x₀ ^(y) mod n,where y=2^(i) mod((p−1)(q−1)) Without knowledge of p and q, thegenerator must iterate (the security of calculation relies on thedifficulty of factoring large numbers). When first defined, the primaryproblem with the BBS generator was the amount of work required for asingle output bit. The algorithm was considered too slow for mostapplications. However the advent of Montgomery reduction arithmetic hasgiven rise to more practical implementations. In addition, Vazirani andVazirani have shown that depending on the size of n, more bits cansafely be taken from x_(i) without compromising the security of thegenerator. Assuming we only take 1 bit per x_(i), N bits (and hence Niterations of the bit generator function) are needed in order togenerate an N-bit random number. To the outside observer, given aparticular set of bits, there is no way to determine the next bit otherthan a 50/50 probability. If the x, p and q are hidden, they act as akey, and it is computationally unfeasible to take an output bit streamand compute x, p, and q. It is also computationally unfeasible todetermine the value of i used to generate a given set of pseudo-randombits. This last feature makes the generator one-way. Different values ofi can produce identical bit sequences of a given length (e.g. 32 bits ofrandom bits). Even if x, p and q are known, for a given F[i], i can onlybe derived as a set of possibilities, not as a certain value (of courseif the domain of i is known, then the set of possibilities is reducedfurther). However, there are problems in selecting a good p and q, and agood seed x. In particular, Ritter describes a problem in selecting x.The nature of the problem is that a BBS generator does not create asingle cycle of known length. Instead, it creates cycles of variouslengths, including degenerate (zero-length) cycles. Thus a BBS generatorcannot be initialized with a random state—it might be on a short cycle.

Hash Functions

Special one-way functions, known as Hash functions map arbitrary lengthmessages to fixed-length hash values. Hash functions are referred to asH[M]. Since the input is arbitrary length, a hash function has acompression component in order to produce a fixed length output. Hashfunctions also have an obfuscation component in order to make itdifficult to find collisions and to determine information about M fromH[M]. Because collisions do exist, most applications require that thehash algorithm is preimage resistant, in that for a given X₁ it isdifficult to find X₂ such that H[X₁]=H[X₂]. In addition, mostapplications also require the hash algorithm to be collision resistant(i.e. it should be hard to find two messages X₁ and X₂ such thatH[X₁]=H[X₂]). It is an open problem whether a collision-resistant hashfunction, in the idealist sense, can exist at all. The primaryapplication for hash functions is in the reduction of an input messageinto a digital “fingerprint” before the application of a digitalsignature algorithm. One problem of collisions with digital signaturescan be seen in the following example.

-   -   A has a long message M₁ that says “I owe B $10”. A signs H[M₁]        using his private key. B, being greedy, then searches for a        collision message M₂ where H[M₂]=H[M₁] but where M₂ is favorable        to B, for example “I owe B $1 million”. Clearly it is in A's        interest to ensure that it is difficult to find such an M₂.        Examples of collision resistant one-way hash functions are        SHA-1, MD5 and RIPEMD-160, all derived from MD4.

MD4

Ron Rivest introduced MD4 in 1990. It is mentioned here because allother one-way hash functions are derived in some way from MD4. MD4 isnow considered completely broken in that collisions can be calculatedinstead of searched for. In the example above, B could triviallygenerate a substitute message M₂ with the same hash value as theoriginal message M₁.

MD5

Ron Rivest introduced MD5 in 1991 as a more secure MD4. Like MD4, MD5produces a 128-bit hash value. Dobbertin describes the status of MD5after recent attacks. He describes how pseudo-collisions have been foundin MD5, indicating a weakness in the compression function, and morerecently, collisions have been found. This means that MD5 should not beused for compression in digital signature schemes where the existence ofcollisions may have dire consequences. However MD5 can still be used asa one-way function. In addition, the HMAC-MD5 construct is not affectedby these recent attacks.

SHA-1

SHA-1 is very similar to MD5, but has a 160-bit hash value (MD5 only has128 bits of hash value). SHA-1 was designed and introduced by the NISTand NSA for use in the Digital Signature Standard (DSS). The originalpublished description was called SHA, but very soon afterwards, wasrevised to become SHA-1, supposedly to correct a security flaw in SHA(although the NSA has not released the mathematical reasoning behind thechange). There are no known cryptographic attacks against SHA-1. It isalso more resistant to brute-force attacks than MD4 or MD5 simplybecause of the longer hash result. The US Government owns the SHA-1 andDSA algorithms (a digital signature authentication algorithm defined aspart of DSS) and has at least one relevant patent (U.S. Pat. No.5,231,688 granted in 1993).

RIPEMD-160

RIPEMD-160 is a hash function derived from its predecessor RIPEMD(developed for the European Community's RIPE project in 1992). As itsname suggests, RIPEMD-160 produces a 160-bit hash result. Tuned forsoftware implementations on 32-bit architectures, RIPEMD-160 is intendedto provide a high level of security for 10 years or more. Although therehave been no successful attacks on RIPEMD-160, it is comparatively newand has not been extensively cryptanalyzed. The original RIPEMDalgorithm was specifically designed to resist known cryptographicattacks on MD4. The recent attacks on MD5 showed similar weaknesses inthe RIPEMD 128-bit hash function. Although the attacks showed onlytheoretical weaknesses, Dobbertin, Preneel and Bosselaers furtherstrengthened RIPEMD into a new algorithm RIPEMD-160.

Message Authentication Codes

The problem of message authentication can be summed up as follows:

-   -   How can A be sure that a message supposedly from B is in fact        from B?        Message authentication is different from entity authentication.        With entity authentication, one entity (the claimant) proves its        identity to another (the verifier). With message authentication,        we are concerned with making sure that a given message is from        who we think it is from i.e. it has not been tampered en route        from the source to its destination. A one-way hash function is        not sufficient protection for a message. Hash functions such as        MD5 rely on generating a hash value that is representative of        the original input, and the original input cannot be derived        from the hash value. A simple attack by E, who is in-between A        and B, is to intercept the message from B, and substitute his        own. Even if A also sends a hash of the original message, E can        simply substitute the hash of his new message. Using a one-way        hash function alone, A has no way of knowing that B's message        has been changed. One solution to the problem of message        authentication is the Message Authentication Code, or MAC. When        B sends message M, it also sends MAC[M] so that the receiver        will know that M is actually from B. For this to be possible,        only B must be able to produce a MAC of M, and in addition, A        should be able to verify M against MAC[M]. Notice that this is        different from encryption of M—MACs are useful when M does not        have to be secret. The simplest method of constructing a MAC        from a hash function is to encrypt the hash value with a        symmetric algorithm:    -   Hash the input message H[M]    -   Encrypt the hash E_(K)[H[M]]        This is more secure than first encrypting the message and then        hashing the encrypted message. Any symmetric or asymmetric        cryptographic function can be used. However, there are        advantages to using a key-dependant one-way hash function        instead of techniques that use encryption (such as that shown        above):    -   Speed, because one-way hash functions in general work much        faster than encryption;    -   Message size, because E_(K)[H[M]] is at least the same size as        M, while H[M] is a fixed size (usually considerably smaller than        M);    -   Hardware/software requirements—keyed one-way hash functions are        typically far less complexity than their encryption-based        counterparts; and    -   One-way hash function implementations are not considered to be        encryption or decryption devices and therefore are not subject        to US export controls.        It should be noted that hash functions were never originally        designed to contain a key or to support message authentication.        As a result, some ad hoc methods of using hash functions to        perform message authentication, including various functions that        concatenate messages with secret prefixes, suffixes, or both        have been proposed. Most of these ad hoc methods have been        successfully attacked by sophisticated means. Additional MACs        have been suggested based on XOR schemes and Toeplitz matrices        (including the special case of LFSR-based constructions).

HMAC

The HMAC construction in particular is gaining acceptance as a solutionfor Internet message authentication security protocols. The HMACconstruction acts as a wrapper, using the underlying hash function in ablack-box way. Replacement of the hash function is straightforward ifdesired due to security or performance reasons. However, the majoradvantage of the HMAC construct is that it can be proven secure providedthe underlying hash function has some reasonable cryptographicstrengths—that is, HMAC's strengths are directly connected to thestrength of the hash function. Since the HMAC construct is a wrapper,any iterative hash function can be used in an HMAC. Examples includeHMAC-MD5, HMAC-SHA1, HMAC-RIPEMD160 etc. Given the followingdefinitions:

-   -   H=the hash function (e.g. MD5 or SHA-1)    -   n=number of bits output from H (e.g. 160 for SHA-1, 128 bits for        MD5)    -   M=the data to which the MAC function is to be applied    -   K=the secret key shared by the two parties    -   ipad=0x36 repeated 64 times    -   opad=0x5C repeated 64 times

The HMAC algorithm is as follows:

1. Extend K to 64 bytes by appending 0x00 bytes to the end of K2. XOR the 64 byte string created in (1) with ipad3. Append data stream M to the 64 byte string created in (2)4. Apply H to the stream generated in (3)5. XOR the 64 byte string created in (1) with opad6. Append the H result from (4) to the 64 byte string resulting from (5)7. Apply H to the output of (6) and output the result

Thus:

HMAC[M]=H[(K⊕opad)|H[(K⊕ipad)|M]]

The recommended key length is at least n bits, although it should not belonger than 64 bytes (the length of the hashing block). A key longerthan n bits does not add to the security of the function. HMACoptionally allows truncation of the final output e.g. truncation to 128bits from 160 bits. The HMAC designers' Request for Comments was issuedin 1997, one year after the algorithm was first introduced. Thedesigners claimed that the strongest known attack against HMAC is basedon the frequency of collisions for the hash function H and is totallyimpractical for minimally reasonable hash functions. More recently, HMACprotocols with replay prevention components have been defined in orderto prevent the capture and replay of any M, HMAC[M] combination within agiven time period.

Random Numbers and Time Varying Messages

The use of a random number generator as a one-way function has alreadybeen examined. However, random number generator theory is very muchintertwined with cryptography, security, and authentication. There are alarge number of issues concerned with defining good random numbergenerators. Knuth, describes what makes a generator good (includingstatistical tests), and the general problems associated withconstructing them. One of the uses for random numbers is to ensure thatmessages vary over time. Consider a system where A encrypts commands andsends them to B. If the encryption algorithm produces the same outputfor a given input, an attacker could simply record the messages and playthem back to fool B. There is no need for the attacker to crack theencryption mechanism other than to know which message to play to B(while pretending to be A). Consequently messages often include a randomnumber and a time stamp to ensure that the message (and hence itsencrypted counterpart) varies each time. Random number generators arealso often used to generate keys. It is therefore best to say at themoment, that all generators are insecure for this purpose. For example,the Berlekamp-Massey algorithm, is a classic attack on an LFSR randomnumber generator. If the LFSR is of length n, then only 2n bits of thesequence suffice to determine the LFSR, compromising the key generator.If, however, the only role of the random number generator is to makesure that messages vary over time, the security of the generator andseed is not as important as it is for session key generation. Ifhowever, the random number seed generator is compromised, and anattacker is able to calculate future “random” numbers, it can leave someprotocols open to attack. Any new protocol should be examined withrespect to this situation. The actual type of random number generatorrequired will depend upon the implementation and the purposes for whichthe generator is used. Generators include Blum, Blum, and Shub, streamciphers such as RC4 by Ron Rivest, hash functions such as SHA-1 andRIPEMD-160, and traditional generators such LFSRs (Linear Feedback ShiftRegisters) and their more recent counterpart FCSRs (Feedback with CarryShift Registers).

Attacks

This section describes the various types of attacks that can beundertaken to break an authentication cryptosystem such as theauthentication chip. The attacks are grouped into physical and logicalattacks. Physical attacks describe methods for breaking a physicalimplementation of a cryptosystem (for example, breaking open a chip toretrieve the key), while logical attacks involve attacks on thecryptosystem that are implementation independent. Logical types ofattack work on the protocols or algorithms, and attempt to do one ofthree things:

-   -   Bypass the authentication process altogether    -   Obtain the secret key by force or deduction, so that any        question can be answered    -   Find enough about the nature of the authenticating questions and        answers in order to, without the key, give the right answer to        each question.        The attack styles and the forms they take are detailed below.        Regardless of the algorithms and protocol used by a security        chip, the circuitry of the authentication part of the chip can        come under physical attack. Physical attack comes in four main        ways, although the form of the attack can vary:    -   Bypassing the Authentication Chip altogether    -   Physical examination of chip while in operation (destructive and        non-destructive)    -   Physical decomposition of chip    -   Physical alteration of chip        The attack styles and the forms they take are detailed below.        This section does not suggest solutions to these attacks. It        merely describes each attack type. The examination is restricted        to the context of an Authentication chip (as opposed to some        other kind of system, such as Internet authentication) attached        to some System.

Logical Attacks

These attacks are those which do not depend on the physicalimplementation of the cryptosystem. They work against the protocols andthe security of the algorithms and random number generators.

Ciphertext Only Attack

This is where an attacker has one or more encrypted messages, allencrypted using the same algorithm. The aim of the attacker is to obtainthe plaintext messages from the encrypted messages. Ideally, the key canbe recovered so that all messages in the future can also be recovered.

Known Plaintext Attack

This is where an attacker has both the plaintext and the encrypted formof the plaintext. In the case of an Authentication Chip, aknown-plaintext attack is one where the attacker can see the data flowbetween the System and the Authentication Chip. The inputs and outputsare observed (not chosen by the attacker), and can be analyzed forweaknesses (such as birthday attacks or by a search for differentiallyinteresting input/output pairs). A known plaintext attack is a weakertype of attack than the chosen plaintext attack, since the attacker canonly observe the data flow. A known plaintext attack can be carried outby connecting a logic analyzer to the connection between the System andthe Authentication Chip.

Chosen Plaintext Attacks

A chosen plaintext attack describes one where a cryptanalyst has theability to send any chosen message to the cryptosystem, and observe theresponse. If the cryptanalyst knows the algorithm, there may be arelationship between inputs and outputs that can be exploited by feedinga specific output to the input of another function. On a system using anembedded Authentication Chip, it is generally very difficult to preventchosen plaintext attacks since the cryptanalyst can logically pretendhe/she is the System, and thus send any chosen bit-pattern streams tothe Authentication Chip.

Adaptive Chosen Plaintext Attacks

This type of attack is similar to the chosen plaintext attacks exceptthat the attacker has the added ability to modify subsequent chosenplaintexts based upon the results of previous experiments. This iscertainly the case with any System/Authentication Chip scenariodescribed when utilized for consumables such as photocopiers and tonercartridges, especially since both Systems and Consumables are madeavailable to the public.

Brute Force Attack

A guaranteed way to break any key-based cryptosystem algorithm is simplyto try every key. Eventually the right one will be found. This is knownas a Brute Force Attack. However, the more key possibilities there are,the more keys must be tried, and hence the longer it takes (on average)to find the right one. If there are N keys, it will take a maximum of Ntries. If the key is N bits long, it will take a maximum of 2^(N) tries,with a 50% chance of finding the key after only half the attempts(2^(N−1)). The longer N becomes, the longer it will take to find thekey, and hence the more secure the key is. Of course, an attack mayguess the key on the first try, but this is more unlikely the longer thekey is. Consider a key length of 56 bits. In the worst case, all 2⁵⁶tests (7.2×10¹⁶ tests) must be made to find the key. In 1977, Diffie andHellman described a specialized machine for cracking DES, consisting ofone million processors, each capable of running one million tests persecond. Such a machine would take 20 hours to break any DES code.Consider a key length of 128 bits. In the worst case, all 2¹²⁸ tests(3.4×10³⁸ tests) must be made to find the key. This would take tenbillion years on an array of a trillion processors each running 1billion tests per second. With a long enough key length, a Brute ForceAttack takes too long to be worth the attacker's efforts.

Guessing Attack

This type of attack is where an attacker attempts to simply “guess” thekey. As an attack it is identical to the Brute force attack, where theodds of success depend on the length of the key.

Quantum Computer Attack

To break an n-bit key, a quantum computer (NMR, Optical, or Caged Atom)containing n qubits embedded in an appropriate algorithm must be built.The quantum computer effectively exists in 2^(n) simultaneous coherentstates. The trick is to extract the right coherent state without causingany decoherence. To date this has been achieved with a 2 qubit system(which exists in 4 coherent states). It is thought possible to extendthis to 6 qubits (with 64 simultaneous coherent states) within a fewyears.

Unfortunately, every additional qubit halves the relative strength ofthe signal representing the key. This rapidly becomes a seriousimpediment to key retrieval, especially with the long keys used incryptographically secure systems. As a result, attacks on acryptographically secure key (e.g. 160 bits) using a Quantum Computerare likely not to be feasible and it is extremely unlikely that quantumcomputers will have achieved more than 50 or so qubits within thecommercial lifetime of the Authentication Chips. Even using a 50 qubitquantum computer, 2¹¹⁰ tests are required to crack a 160 bit key.

Purposeful Error Attack

With certain algorithms, attackers can gather valuable information fromthe results of a bad input. This can range from the error message textto the time taken for the error to be generated. A simple example isthat of a userid/password scheme. If the error message usually says “Baduserid”, then when an attacker gets a message saying “Bad password”instead, then they know that the userid is correct. If the messagealways says “Bad userid/password” then much less information is given tothe attacker. A more complex example is that of the recent publishedmethod of cracking encryption codes from secure web sites. The attackinvolves sending particular messages to a server and observing the errormessage responses. The responses give enough information to learn thekeys—even the lack of a response gives some information. An example ofalgorithmic time can be seen with an algorithm that returns an error assoon as an erroneous bit is detected in the input message. Depending onhardware implementation, it may be a simple method for the attacker totime the response and alter each bit one by one depending on the timetaken for the error response, and thus obtain the key. Certainly in achip implementation the time taken can be observed with far greateraccuracy than over the Internet.

Birthday Attack

This attack is named after the famous “birthday paradox” (which is notactually a paradox at all). The odds of one person sharing a birthdaywith another, is 1 in 365 (not counting leap years). Therefore theremust be 183 people in a room for the odds to be more than 50% that oneof them shares your birthday. However, there only needs to be 23 peoplein a room for there to be more than a 50% chance that any two share abirthday. This is because 23 people yields 253 different pairs. Birthdayattacks are common attacks against hashing algorithms, especially thosealgorithms that combine hashing with digital signatures. If a messagehas been generated and already signed, an attacker must search for acollision message that hashes to the same value (analogous to findingone person who shares your birthday). However, if the attacker cangenerate the message, the Birthday Attack comes into play. The attackersearches for two messages that share the same hash value (analogous toany two people sharing a birthday), only one message is acceptable tothe person signing it, and the other is beneficial for the attacker.Once the person has signed the original message the attacker simplyclaims now that the person signed the alternative message—mathematicallythere is no way to tell which message was the original, since they bothhash to the same value. Assuming a Brute Force Attack is the only way todetermine a match, the weakening of an n-bit key by the birthday attackis 2^(n/2). A key length of 128 bits that is susceptible to the birthdayattack has an effective length of only 64 bits.

Chaining Attack

These are attacks made against the chaining nature of hash functions.They focus on the compression function of a hash function. The idea isbased on the fact that a hash function generally takes arbitrary lengthinput and produces a constant length output by processing the input nbits at a time. The output from one block is used as the chainingvariable set into the next block. Rather than finding a collisionagainst an entire input, the idea is that given an input chainingvariable set, to find a substitute block that will result in the sameoutput chaining variables as the proper message. The number of choicesfor a particular block is based on the length of the block. If thechaining variable is c bits, the hashing function behaves like a randommapping, and the block length is b bits, the number of such b-bit blocksis approximately 2b/2c. The challenge for finding a substitution blockis that such blocks are a sparse subset of all possible blocks. ForSHA-1, the number of 512 bit blocks is approximately 2⁵¹² _(/)2¹⁶⁰, or2³⁵². The chance of finding a block by brute force search is about 1 in2¹⁶⁰.

Substitution with a Complete Lookup Table

If the number of potential messages sent to the chip is small, thenthere is no need for a clone manufacturer to crack the key. Instead, theclone manufacturer could incorporate a ROM in their chip that had arecord of all of the responses from a genuine chip to the codes sent bythe system. The larger the key, and the larger the response, the morespace is required for such a lookup table.

Substitution with a Sparse Lookup Table

If the messages sent to the chip are somehow predictable, rather thaneffectively random, then the clone manufacturer need not provide acomplete lookup table. For example:

-   -   If the message is simply a serial number, the clone manufacturer        need simply provide a lookup table that contains values for past        and predicted future serial numbers. There are unlikely to be        more than 10⁹ of these.    -   If the test code is simply the date, then the clone manufacturer        can produce a lookup table using the date as the address.    -   If the test code is a pseudo-random number using either the        serial number or the date as a seed, then the clone manufacturer        just needs to crack the pseudo-random number generator in the        System. This is probably not difficult, as they have access to        the object code of the System. The clone manufacturer would then        produce a content addressable memory (or other sparse array        lookup) using these codes to access stored authentication codes.

Differential Cryptanalysis

Differential cryptanalysis describes an attack where pairs of inputstreams are generated with known differences, and the differences in theencoded streams are analyzed. Existing differential attacks are heavilydependent on the structure of S boxes, as used in DES and other similaralgorithms. Although other algorithms such as HMAC-SHA1 have no S boxes,an attacker can undertake a differential-like attack by undertakingstatistical analysis of:

-   -   Minimal-difference inputs, and their corresponding outputs    -   Minimal-difference outputs, and their corresponding inputs        Most algorithms were strengthened against differential        cryptanalysis once the process was described. This is covered in        the specific sections devoted to each cryptographic algorithm.        However some recent algorithms developed in secret have been        broken because the developers had not considered certain styles        of differential attacks and did not subject their algorithms to        public scrutiny.

Message Substitution Attacks

In certain protocols, a man-in-the-middle can substitute part or all ofa message. This is where a real Authentication Chip is plugged into areusable clone chip within the consumable. The clone chip intercepts allmessages between the System and the Authentication Chip, and can performa number of substitution attacks. Consider a message containing a headerfollowed by content. An attacker may not be able to generate a validheader, but may be able to substitute their own content, especially ifthe valid response is something along the lines of “Yes, I received yourmessage”. Even if the return message is “Yes, I received the followingmessage . . . ”, the attacker may be able to substitute the originalmessage before sending the acknowledgement back to the original sender.Message Authentication Codes were developed to combat most messagesubstitution attacks.

Reverse Engineering the Key Generator

If a pseudo-random number generator is used to generate keys, there isthe potential for a clone manufacture to obtain the generator program orto deduce the random seed used. This was the way in which the Netscapesecurity program was initially broken.

Bypassing Authentication Altogether

It may be that there are problems in the authentication protocols thatcan allow a bypass of the authentication process altogether. With thesekinds of attacks the key is completely irrelevant, and the attacker hasno need to recover it or deduce it. Consider an example of a system thatAuthenticates at power-up, but does not authenticate at any other time.A reusable consumable with a clone Authentication Chip may make use of areal Authentication Chip. The clone authentication chip uses the realchip for the authentication call, and then simulates the realAuthentication Chip's state data after that. Another example ofbypassing authentication is if the System authenticates only after theconsumable has been used. A clone Authentication Chip can accomplish asimple authentication bypass by simulating a loss of connection afterthe use of the consumable but before the authentication protocol hascompleted (or even started). One infamous attack known as the “KentuckyFried Chip” hack involved replacing a microcontroller chip for asatellite TV system. When a subscriber stopped paying the subscriptionfee, the system would send out a “disable” message. However the newmicrocontroller would simply detect this message and not pass it on tothe consumer's satellite TV system.

Garrote/Bribe Attack

If people know the key, there is the possibility that they could tellsomeone else. The telling may be due to coercion (bribe, garrote etc),revenge (e.g. a disgruntled employee), or simply for principle. Theseattacks are usually cheaper and easier than other efforts at deducingthe key. As an example, a number of people claiming to be involved withthe development of the Divx standard have recently (May/June 1998) beenmaking noises on a variety of DVD newsgroups to the effect they wouldlike to help develop Divx specific cracking devices—out of principle.

Physical Attacks

The following attacks assume implementation of an authenticationmechanism in a silicon chip that the attacker has physical access to.The first attack, Reading ROM, describes an attack when keys are storedin ROM, while the remaining attacks assume that a secret key is storedin Flash memory.

Reading ROM

If a key is stored in ROM it can be read directly. A ROM can thus besafely used to hold a public key (for use in asymmetric cryptography),but not to hold a private key. In symmetric cryptography, a ROM iscompletely insecure. Using a copyright text (such as a haiku) as the keyis not sufficient, because we are assuming that the cloning of the chipis occurring in a country where intellectual property is not respected.

Reverse Engineering of Chip

Reverse engineering of the chip is where an attacker opens the chip andanalyzes the circuitry. Once the circuitry has been analyzed the innerworkings of the chip's algorithm can be recovered. Lucent Technologieshave developed an active method known as TOBIC (Two photon OBIC, whereOBIC stands for Optical Beam Induced Current), to image circuits.Developed primarily for static RAM analysis, the process involvesremoving any back materials, polishing the back surface to a mirrorfinish, and then focusing light on the surface. The excitationwavelength is specifically chosen not to induce a current in the IC. AKerckhoffs in the nineteenth century made a fundamental assumption aboutcryptanalysis: if the algorithm's inner workings are the sole secret ofthe scheme, the scheme is as good as broken. He stipulated that thesecrecy must reside entirely in the key. As a result, the best way toprotect against reverse engineering of the chip is to make the innerworkings irrelevant.

Usurping the Authentication Process

It must be assumed that any clone manufacturer has access to both theSystem and consumable designs. If the same channel is used forcommunication between the System and a trusted System AuthenticationChip, and a non-trusted consumable Authentication Chip, it may bepossible for the non-trusted chip to interrogate a trustedAuthentication Chip in order to obtain the “correct answer”. If this isso, a clone manufacturer would not have to determine the key. They wouldonly have to trick the System into using the responses from the SystemAuthentication Chip. The alternative method of usurping theauthentication process follows the same method as the logical attack“Bypassing the Authentication Process”, involving simulated loss ofcontact with the System whenever authentication processes take place,simulating power-down etc.

Modification of System

This kind of attack is where the System itself is modified to acceptclone consumables. The attack may be a change of System ROM, a rewiringof the consumable, or, taken to the extreme case, a completely cloneSystem. This kind of attack requires each individual System to bemodified, and would most likely require the owner's consent. There wouldusually have to be a clear advantage for the consumer to undertake sucha modification, since it would typically void warranty and would mostlikely be costly. An example of such a modification with a clearadvantage to the consumer is a software patch to change fixed-region DVDplayers into region-free DVD players.

Direct Viewing of Chip Operation by Conventional Probing

If chip operation could be directly viewed using an STM or an electronbeam, the keys could be recorded as they are read from the internalnon-volatile memory and loaded into work registers. These forms ofconventional probing require direct access to the top or front sides ofthe IC while it is powered.

Direct Viewing of the Non-Volatile Memory

If the chip were sliced so that the floating gates of the Flash memorywere exposed, without discharging them, then the key could probably beviewed directly using an STM or SKM (Scanning Kelvin Microscope).However, slicing the chip to this level without discharging the gates isprobably impossible. Using wet etching, plasma etching, ion milling(focused ion beam etching), or chemical mechanical polishing will almostcertainly discharge the small charges present on the floating gates.

Viewing the Light Bursts Caused by State Changes

Whenever a gate changes state, a small amount of infrared energy isemitted. Since silicon is transparent to infrared, these changes can beobserved by looking at the circuitry from the underside of a chip. Whilethe emission process is weak, it is bright enough to be detected byhighly sensitive equipment developed for use in astronomy. Thetechnique, developed by IBM, is called PICA (Picosecond Imaging CircuitAnalyzer). If the state of a register is known at time t, then watchingthat register change over time will reveal the exact value at time t+n,and if the data is part of the key, then that part is compromised.

Monitoring EMI

Whenever electronic circuitry operates, faint electromagnetic signalsare given off. Relatively inexpensive equipment (a few thousand dollars)can monitor these signals. This could give enough information to allowan attacker to deduce the keys.

Viewing I_(dd) Fluctuations

Even if keys cannot be viewed, there is a fluctuation in currentwhenever registers change state. If there is a high enough signal tonoise ratio, an attacker can monitor the difference in I_(dd) that mayoccur when programming over either a high or a low bit. The change inI_(dd) can reveal information about the key. Attacks such as these havealready been used to break smart cards.

Differential Fault Analysis

This attack assumes introduction of a bit error by ionization, microwaveradiation, or environmental stress. In most cases such an error is morelikely to adversely affect the Chip (eg cause the program code to crash)rather than cause beneficial changes which would reveal the key.Targeted faults such as ROM overwrite, gate destruction etc are far morelikely to produce useful results.

Clock Glitch Attacks

Chips are typically designed to properly operate within a certain clockspeed range. Some attackers attempt to introduce faults in logic byrunning the chip at extremely high clock speeds or introduce a clockglitch at a particular time for a particular duration. The idea is tocreate race conditions where the circuitry does not function properly.An example could be an AND gate that (because of race conditions) gatesthrough Input₁ all the time instead of the AND of Input₁ and Input₂. Ifan attacker knows the internal structure of the chip, they can attemptto introduce race conditions at the correct moment in the algorithmexecution, thereby revealing information about the key (or in the worstcase, the key itself).

Power Supply Attacks

Instead of creating a glitch in the clock signal, attackers can alsoproduce glitches in the power supply where the power is increased ordecreased to be outside the working operating voltage range. The neteffect is the same as a clock glitch—introduction of error in theexecution of a particular instruction. The idea is to stop the CPU fromXORing the key, or from shifting the data one bit-position etc. Specificinstructions are targeted so that information about the key is revealed.

Overwriting ROM

Single bits in a ROM can be overwritten using a laser cutter microscope,to either 1 or 0 depending on the sense of the logic. With a givenopcode/operand set, it may be a simple matter for an attacker to changea conditional jump to a non-conditional jump, or perhaps change thedestination of a register transfer. If the target instruction is chosencarefully, it may result in the key being revealed.

Modifying EEPROM/Flash

EEPROM/Flash attacks are similar to ROM attacks except that the lasercutter microscope technique can be used to both set and reset individualbits. This gives much greater scope in terms of modification ofalgorithms.

Gate Destruction

Anderson and Kuhn described the rump session of the 1997 workshop onFast Software Encryption, where Biham and Shamir presented an attack onDES. The attack was to use a laser cutter to destroy an individual gatein the hardware implementation of a known block cipher (DES). The neteffect of the attack was to force a particular bit of a register to be“stuck”. Biham and Shamir described the effect of forcing a particularregister to be affected in this way—the least significant bit of theoutput from the round function is set to 0. Comparing the 6 leastsignificant bits of the left half and the right half can recover severalbits of the key. Damaging a number of chips in this way can revealenough information about the key to make complete key recovery easy. Anencryption chip modified in this way will have the property thatencryption and decryption will no longer be inverses.

Overwrite Attacks

Instead of trying to read the Flash memory, an attacker may simply set asingle bit by use of a laser cutter microscope. Although the attackerdoesn't know the previous value, they know the new value. If the chipstill works, the bit's original state must be the same as the new state.If the chip doesn't work any longer, the bit's original state must bethe logical NOT of the current state. An attacker can perform thisattack on each bit of the key and obtain the n-bit key using at most nchips (if the new bit matched the old bit, a new chip is not requiredfor determining the next bit).

Test Circuitry Attack

Most chips contain test circuitry specifically designed to check formanufacturing defects. This includes BIST (Built In Self Test) and scanpaths. Quite often the scan paths and test circuitry includes access andreadout mechanisms for all the embedded latches. In some cases the testcircuitry could potentially be used to give information about thecontents of particular registers. Test circuitry is often disabled oncethe chip has passed all manufacturing tests, in some cases by blowing aspecific connection within the chip. A determined attacker, however, canreconnect the test circuitry and hence enable it.

Memory Remanence

Values remain in RAM long after the power has been removed, althoughthey do not remain long enough to be considered non-volatile. Anattacker can remove power once sensitive information has been moved intoRAM (for example working registers), and then attempt to read the valuefrom RAM. This attack is most useful against security systems that haveregular RAM chips. A classic example is where a security system wasdesigned with an automatic power-shut-off that is triggered when thecomputer case is opened. The attacker was able to simply open the case,remove the RAM chips, and retrieve the key because of memory remanence.

Chip Theft Attack

If there are a number of stages in the lifetime of an AuthenticationChip, each of these stages must be examined in terms of ramificationsfor security should chips be stolen. For example, if information isprogrammed into the chip in stages, theft of a chip between stages mayallow an attacker to have access to key information or reduced effortsfor attack. Similarly, if a chip is stolen directly after manufacturebut before programming, does it give an attacker any logical or physicaladvantage?

Requirements

Existing solutions to the problem of authenticating consumables havetypically relied on physical patents on packaging. However this does notstop home refill operations or clone manufacture in countries with weakindustrial property protection. Consequently a much higher level ofprotection is required. The authentication mechanism is therefore builtinto an Authentication chip that allows a system to authenticate aconsumable securely and easily. Limiting ourselves to the systemauthenticating consumables (we don't consider the consumableauthenticating the system), two levels of protection can be considered:

-   -   Presence Only Authentication—This is where only the presence of        an Authentication Chip is tested. The Authentication Chip can be        reused in another consumable without to being reprogrammed.    -   Consumable Lifetime Authentication—This is where not only is the        presence of the Authentication Chip tested for, but also the        Authentication chip must only last the lifetime of the        consumable. For the chip to be reused it must be completely        erased and reprogrammed.

The two levels of protection address different requirements. We areprimarily concerned with Consumable Lifetime Authentication in order toprevent cloned versions of high volume consumables. In this case, eachchip should hold secure state information about the consumable beingauthenticated. It should be noted that a Consumable LifetimeAuthentication Chip could be used in any situation requiring a PresenceOnly Authentication Chip. The requirements for authentication, datastorage integrity and manufacture should be considered separately. Thefollowing sections summarize requirements of each.

Authentication

The authentication requirements for both Presence Only Authenticationand Consumable Lifetime Authentication are restricted to case of asystem authenticating a consumable. For Presence Only Authentication, wemust be assured that an Authentication Chip is physically present. ForConsumable Lifetime Authentication we also need to be assured that statedata actually came from the Authentication Chip, and that it has notbeen altered en route. These issues cannot be separated—data that hasbeen altered has a new source, and if the source cannot be determined,the question of alteration cannot be settled. It is not enough toprovide an authentication method that is secret, relying on a home-brewsecurity method that has not been scrutinized by security experts. Theprimary requirement therefore is to provide authentication by means thathave withstood the scrutiny of experts. The authentication scheme usedby the Authentication chip should be resistant to defeat by logicalmeans. Logical types of attack are extensive, and attempt to do one ofthree things:

-   -   Bypass the authentication process altogether    -   Obtain the secret key by force or deduction, so that any        question can be answered    -   Find enough about the nature of the authenticating questions and        answers in order to, without the key, give the right answer to        each question.

Data Storage Integrity

Although Authentication protocols take care of ensuring data integrityin communicated messages, data storage integrity is also required. Twokinds of data must be stored within the Authentication Chip:

-   -   Authentication data, such as secret keys    -   Consumable state data, such as serial numbers, and media        remaining etc.        The access requirements of these two data types differ greatly.        The Authentication chip therefore requires a storage/access        control mechanism that allows for the integrity requirements of        each type.

Authentication Data

Authentication data must remain confidential. It needs to be stored inthe chip during a manufacturing/programming stage of the chip's life,but from then on must not be permitted to leave the chip. It must beresistant to being read from non-volatile memory. The authenticationscheme is responsible for ensuring the key cannot be obtained bydeduction, and the manufacturing process is responsible for ensuringthat the key cannot be obtained by physical means. The size of theauthentication data memory area must be large enough to hold thenecessary keys and secret information as mandated by the authenticationprotocols.

Consumable State Data

Each Authentication chip needs to be able to also store 256 bits (32bytes) of consumable state data. Consumable state data can be dividedinto the following types. Depending on the application, there will bedifferent numbers of each of these types of data items. A maximum numberof 32 bits for a single data item is to be considered.

-   -   Read Only    -   ReadWrite    -   Decrement Only

Read Only data needs to be stored in the chip during amanufacturing/programming stage of the chip's life, but from then onshould not be allowed to change. Examples of Read Only data items areconsumable batch numbers and serial numbers.

ReadWrite data is changeable state information, for example, the lasttime the particular consumable was used. ReadWrite data items can beread and written an unlimited number of times during the lifetime of theconsumable. They can be used to store any state information about theconsumable. The only requirement for this data is that it needs to bekept in non-volatile memory. Since an attacker can obtain access to asystem (which can write to ReadWrite data), any attacker can potentiallychange data fields of this type. This data type should not be used forsecret information, and must be considered insecure.

Decrement Only data is used to count down the availability of consumableresources. A photocopier's toner cartridge, for example, may store theamount of toner remaining as a Decrement Only data item.

An ink cartridge for a color printer may store the amount of each inkcolor as a Decrement Only data item, requiring 3 (one for each of Cyan,Magenta, and Yellow), or even as many as 5 or 6 Decrement Only dataitems. The requirement for this kind of data item is that onceprogrammed with an initial value at the manufacturing/programming stage,it can only reduce in value. Once it reaches the minimum value, itcannot decrement any further. The Decrement Only data item is onlyrequired by Consumable Lifetime Authentication.

Manufacture

The Authentication chip ideally must have a low manufacturing cost inorder to be included as the authentication mechanism for low costconsumables. The Authentication chip should use a standard manufacturingprocess, such as Flash. This is necessary to:

-   -   Allow a great range of manufacturing location options    -   Use well-defined and well-behaved technology    -   Reduce cost        Regardless of the authentication scheme used, the circuitry of        the authentication part of the chip must be resistant to        physical attack. Physical attack comes in four main ways,        although the form of the attack can vary:    -   Bypassing the Authentication Chip altogether    -   Physical examination of chip while in operation (destructive and        non-destructive)    -   Physical decomposition of chip    -   Physical alteration of chip        Ideally, the chip should be exportable from the U.S., so it        should not be possible to use an Authentication chip as a secure        encryption device. This is low priority requirement since there        are many companies in other countries able to manufacture the        Authentication chips. In any case, the export restrictions from        the U.S. may change.

Authentication

Existing solutions to the problem of authenticating consumables havetypically relied on physical patents on packaging. However this does notstop home refill operations or clone manufacture in countries with weakindustrial property protection. Consequently a much higher level ofprotection is required. It is not enough to provide an authenticationmethod that is secret, relying on a home-brew security method that hasnot been scrutinized by security experts. Security systems such asNetscape's original proprietary system and the GSM Fraud PreventionNetwork used by cellular phones are examples where design secrecy causedthe vulnerability of the security. Both security systems were broken byconventional means that would have been detected if the companies hadfollowed an open design process. The solution is to provideauthentication by means that have withstood the scrutiny of experts. Anumber of protocols that can be used for consumables authentication. Weonly use security methods that are publicly described, using knownbehaviors in this new way. For all protocols, the security of the schemerelies on a secret key, not a secret algorithm. All the protocols relyon a time-variant challenge (i.e. the challenge is different each time),where the response depends on the challenge and the secret. Thechallenge involves a random number so that any observer will not be ableto gather useful information about a subsequent identification. Twoprotocols are presented for each of Presence Only Authentication andConsumable Lifetime Authentication. Although the protocols differ in thenumber of Authentication Chips required for the authentication process,in all cases the System authenticates the consumable. Certain protocolswill work with either one or two chips, while other protocols only workwith two chips. Whether one chip or two Authentication Chips are usedthe System is still responsible for making the authentication decision.

Single Chip Authentication

When only one Authentication chip is used for the authenticationprotocol, a single chip 10 (referred to as ChipA) is responsible forproving to a system 11 (referred to as System) that it is authentic. Atthe start of the protocol, System 11 is unsure of ChipA's authenticity.System 11 undertakes a challenge-response protocol with ChipA 10, andthus determines ChipA's authenticity. In all protocols the authenticityof the consumable 12 is directly based on the authenticity of the chip,i.e. if ChipA 10 is considered authentic, then the consumable 12, inwhich chip 10 is placed, is considered authentic. The data flow can beseen in FIG. 1, and involves a challenge 13 issued from the system, anda response 14 returned by the chip 10.

In single chip authentication protocols, System 11 can be software,hardware or a combination of both. It is important to note that System11 is considered insecure—it can be easily reverse engineered by anattacker, either by examining the ROM or by examining circuitry. Systemis not specially engineered to be secure in itself.

Double Chip Authentication

In other protocols, two Authentication Chips are required. A single chip20 (referred to as ChipA) is responsible for proving to a system 21(referred to as System) that it is authentic. ChipA 20 is associatedwith the consumable 22. As part of the authentication process, System 21makes use of a trusted Authentication Chip 23 (referred to as ChipT).

In double chip authentication protocols, System 21 can be software,hardware or a combination of both. However ChipT 23 must be a physicalAuthentication Chip. In some protocols ChipT 23 and ChipA 20 have thesame internal structure, while in others ChipT 23 and ChipA 20 havedifferent internal structures. The data flow can be seen in FIG. 2, andcan be seen to involve a challenge 24 from system 21 to chipA 20 and arequest 25 from system 21 to chipT 23, and a response 26 from chipA 20to system 21 and information 27 from chipT 23 to system 21.

Presence Only Authentication (Insecure State Data)

For this level of consumable authentication we are only concerned aboutvalidating the presence of the Authentication chip. Although theAuthentication Chip can contain state information, the transmission ofthat state information would not be considered secure. Two protocols arepresented. Protocol 1 requires 2 Authentication Chips, while Protocol 2can be implemented using either 1 or 2 Authentication Chips.

Protocol 1

Protocol 1 is a double chip protocol (two Authentication Chips arerequired). Each Authentication Chip contains the following values:

-   -   K Key for F_(K)[X]. Must be secret.    -   R Current random number. Does not have to be secret, but must be        seeded with a different initial value for each chip instance.        Changes with each invocation of the Random function.

Each Authentication Chip contains the following logical functions:

-   -   Random[ ] Returns R, and advances R to next in sequence.    -   F[X] Returns F_(K)[X], the result of applying a one-way function        F to X based upon the secret key K.

The protocol is as follows:

-   -   1. System 21 requests 30 Random[ ] from ChipT 23;    -   2. ChipT 23 returns 31 R to System 21;    -   3. System 21 requests 32 F[R] from both ChipT 23 and ChipA 20;    -   4. ChipT 23 returns 34 F_(KT)[R] to System 21;    -   5. ChipA 20 returns 35 F_(KA)[R] to System 21;    -   6. System compares F_(KT)[R] with F_(KA)[R]. If they are equal,        then ChipA is considered valid. If not, then ChipA is considered        invalid.        The data flow can be seen in FIG. 3.

The System 21 does not have to comprehend F_(K)[R] messages. It mustmerely check that the responses from ChipA and ChipT are the same. TheSystem 21 therefore does not require the key. The security of Protocol 1lies in two places:

-   -   The security of F[X]. Only Authentication chips contain the        secret key, so anything that can produce an F[X] from an X that        matches the F[X] generated by a trusted Authentication chip        (ChipT) must be authentic.    -   The domain of R generated by all Authentication chips must be        large and non-deterministic. If the domain of R generated by all        Authentication chips is small, then there is no need for a clone        manufacturer to crack the key. Instead, the clone manufacturer        could incorporate a ROM in their chip that had a record of all        of the responses from a genuine chip to the codes sent by the        system. The Random function does not strictly have to be in the        Authentication Chip, since System can potentially generate the        same random number sequence. However it simplifies the design of        System and ensures the security of the random number generator        will be the same for all implementations that use the        Authentication Chip, reducing possible error in system        implementation.

Protocol 1 has several advantages:

-   -   K is not revealed during the authentication process    -   Given X, a clone chip cannot generate F_(K)[X] without K or        access to a real Authentication Chip.    -   System is easy to design, especially in low cost systems such as        ink-jet printers, as no encryption or decryption is required by        System itself.    -   A wide range of keyed one-way functions exists, including        symmetric cryptography, random number sequences, and message        authentication codes.    -   One-way functions require fewer gates and are easier to verify        than asymmetric algorithms).    -   Secure key size for a keyed one-way function does not have to be        as large as for an asymmetric (public key) algorithm. A minimum        of 128 bits can provide appropriate security if F[X] is a        symmetric cryptographic function.

However there are problems with this protocol:

-   -   It is susceptible to chosen text attack. An attacker can plug        the chip into their own system, generate chosen Rs, and observe        the output. In order to find the key, an attacker can also        search for an R that will generate a specific F[M] since        multiple Authentication chips can be tested in parallel.    -   Depending on the one-way function chosen, key generation can be        complicated. The method of selecting a good key depends on the        algorithm being used. Certain keys are weak for a given        algorithm.    -   The choice of the keyed one-way functions itself is non-trivial.        Some require licensing due to patent protection.    -   A man-in-the middle could take action on a plaintext message M        before passing it on to ChipA—it would be preferable if the        man-in-the-middle did not see M until after ChipA had seen it.        It would be even more preferable if a man-in-the-middle didn't        see M at all.    -   If F is symmetric encryption, because of the key size needed for        adequate security, the chips could not be exported from the USA        since they could be used as strong encryption devices.

If Protocol 1 is implemented with F as an asymmetric encryptionalgorithm, there is no advantage over the symmetric case—the keys needsto be longer and the encryption algorithm is more expensive in silicon.Protocol 1 must be implemented with 2 Authentication Chips in order tokeep the key secure. This means that each System requires anAuthentication Chip and each consumable requires an Authentication Chip.

Protocol 2

In some cases, System may contain a large amount of processing power.Alternatively, for instances of systems that are manufactured in largequantities, integration of ChipT into System may be desirable. Use of anasymmetrical encryption algorithm allows the ChipT portion of System tobe insecure. Protocol 2 therefore, uses asymmetric cryptography. Forthis protocol, each chip contains the following values:

-   -   K Key for E_(K)[X] and D_(K)[X]. Must be secret in ChipA. Does        not have to be secret in ChipT.    -   R Current random number. Does not have to be secret, but must be        seeded with a different initial value for each chip instance.        Changes with each invocation of the Random function.

The following functions are defined:

-   -   E[X] ChipT only. Returns E_(K)[X] where E is asymmetric encrypt        function E.    -   D[X] ChipA only. Returns D_(K)[X] where D is asymmetric decrypt        function D.    -   Random[ ] ChipT only. Returns R|E_(K)[R], where R is random        number based on seed S. Advances R to next in random number        sequence.        The public key K_(T) is in ChipT 23, while the secret key K_(A)        is in ChipA 20. Having K_(T) in ChipT 23 has the advantage that        ChipT can be implemented in software or hardware (with the        proviso that the seed for R is different for each chip or        system). Protocol 2 therefore can be implemented as a Single        Chip Protocol or as a Double Chip Protocol. The protocol for        authentication is as follows:    -   1. System 21 calls 40 ChipT's Random function;    -   2. ChipT 23 returns 41 R|E_(KT)[R] to System 21;    -   3. System 21 calls 42 ChipA's D function, passing in E_(KT)[R];    -   4. ChipA 20 returns 43 R, obtained by D_(KA)[E_(KT)[R]];    -   5. System 21 compares R from ChipA 20 to the original R        generated by ChipT 23. If they are equal, then ChipA 20 is        considered valid. If not, ChipA 20 is invalid.

The data flow can be seen in FIG. 4.

Protocol 2 has the following advantages:

-   -   K_(A) (the secret key) is not revealed during the authentication        process    -   Given E_(KT)[X], a clone chip cannot generate X without K_(A) or        access to a real ChipA.    -   Since K_(T)≠K_(A), ChipT can be implemented completely in        software or in insecure hardware or as part of System. Only        ChipA (in the consumable) is required to be a secure        Authentication Chip.    -   If ChipT is a physical chip, System is easy to design.    -   There are a number of well-documented and cryptanalyzed        asymmetric algorithms to chose from for implementation,        including patent-free and license-free solutions.

However, Protocol 2 has a number of its own problems:

-   -   For satisfactory security, each key needs to be 2048 bits        (compared to minimum 128 bits for symmetric cryptography in        Protocol 1). The associated intermediate memory used by the        encryption and decryption algorithms is correspondingly larger.    -   Key generation is non-trivial. Random numbers are not good keys.    -   If ChipT is implemented as a core, there may be difficulties in        linking it into a given System ASIC.    -   If ChipT is implemented as software, not only is the        implementation of System open to programming error and        non-rigorous testing, but the integrity of the compiler and        mathematics primitives must be rigorously checked for each        implementation of System. This is more complicated and costly        than simply using a well-tested chip.    -   Although many symmetric algorithms are specifically strengthened        to be resistant to differential cryptanalysis (which is based on        chosen text attacks), the private key K_(A) is susceptible to a        chosen text attack    -   If ChipA and ChipT are instances of the same Authentication        Chip, each chip must contain both asymmetric encrypt and decrypt        functionality. Consequently each chip is larger, more complex,        and more expensive than the chip required for Protocol 1.    -   If the Authentication Chip is broken into 2 chips to save cost        and reduce complexity of design/test, two chips still need to be        manufactured, reducing the economies of scale. This is offset by        the relative numbers of systems to consumables, but must still        be taken into account.    -   Protocol 2 Authentication Chips could not be exported from the        USA, since they would be considered strong encryption devices.        Even if the process of choosing a key for Protocol 2 was        straightforward, Protocol 2 is impractical at the present time        due to the high cost of silicon implementation (both key size        and functional implementation). Therefore Protocol 1 is the        protocol of choice for Presence Only Authentication.        Clone Consumable using Real Authentication Chip

Protocols 1 and 2 only check that ChipA is a real Authentication Chip.They do not check to see if the consumable itself is valid. Thefundamental assumption for authentication is that if ChipA is valid, theconsumable is valid. It is therefore possible for a clone manufacturerto insert a real Authentication Chip into a clone consumable. There aretwo cases to consider:

-   -   In cases where state data is not written to the Authentication        Chip, the chip is completely reusable. Clone manufacturers could        therefore recycle a valid consumable into a clone consumable.        This may be made more difficult by melding the Authentication        Chip into the consumable's physical packaging, but it would not        stop refill operators.    -   In cases where state data is written to the Authentication Chip,        the chip may be new, partially used up, or completely used up.        However this does not stop a clone manufacturer from using the        Piggyback attack, where the clone manufacturer builds a chip        that has a real Authentication Chip as a piggyback. The        Attacker's chip (ChipE) is therefore a man-in-the-middle. At        power up, ChipE reads all the memory state values from the real        Authentication chip into its own memory. ChipE then examines        requests from System, and takes different actions depending on        the request. Authentication requests can be passed directly to        the real Authentication chip, while read/write requests can be        simulated by a memory that resembles real Authentication Chip        behavior. In this way the Authentication chip will always appear        fresh at power-up. ChipE can do this because the data access is        not authenticated.

In order to fool System into thinking its data accesses were successful,ChipE still requires a real Authentication Chip, and in the second case,a clone chip is required in addition to a real Authentication Chip.Consequently Protocols 1 and 2 can be useful in situations where it isnot cost effective for a clone manufacturer to embed a realAuthentication chip into the consumable. If the consumable cannot berecycled or refilled easily, it may be protection enough to useProtocols 1 or 2. For a clone operation to be successful each cloneconsumable must include a valid Authentication Chip. The chips wouldhave to be stolen en masse, or taken from old consumables. The quantityof these reclaimed chips (as well as the effort in reclaiming them)should not be enough to base a business on, so the added protection ofsecure data transfer (see Protocols 3 and 4) may not be useful.

Longevity of Key

A general problem of these two protocols is that once the authenticationkey is chosen, it cannot easily be changed. In some instances akey-compromise is not a problem, while for others a key compromise isdisastrous. For example, in a car/car-key System/Consumable scenario,the customer has only one set of car/car-keys. Each car has a differentauthentication key. Consequently the loss of a car-key only compromisesthe individual car. If the owner considers this a problem, they must geta new lock on the car by replacing the System chip inside the car'selectronics. The owner's keys must be reprogrammed/replaced to work withthe new car System Authentication Chip. By contrast, a compromise of akey for a high volume consumable market (for example ink cartridges inprinters) would allow a clone ink cartridge manufacturer to make theirown Authentication Chips. The only solution for existing systems is toupdate the System Authentication Chips, which is a costly andlogistically difficult exercise. In any case, consumers' Systems alreadywork—they have no incentive to hobble their existing equipment.

Consumable Lifetime Authentication

In this level of consumable authentication we are concerned withvalidating the existence of the Authentication Chip, as well as ensuringthat the Authentication Chip lasts only as long as the consumable. Inaddition to validating that an Authentication Chip is present, writesand reads of the Authentication Chip's memory space must beauthenticated as well. In this section we assume that the AuthenticationChip's data storage integrity is secure—certain parts of memory are ReadOnly, others are Read/Write, while others are Decrement Only (see thechapter entitled Data Storage Integrity for more information). Twoprotocols are presented. Protocol 3 requires 2 Authentication Chips,while Protocol 4 can be implemented using either 1 or 2 AuthenticationChips.

Protocol 3

This protocol is a double chip protocol (two Authentication Chips arerequired). For this protocol, each Authentication Chip contains thefollowing values:

-   -   K₁ Key for calculating F_(K1)[X]. Must be secret.    -   K₂ Key for calculating F_(K2)[X]. Must be secret.    -   R Current random number. Does not have to be secret, but must be        seeded with a different initial value for each chip instance.        Changes with each successful authentication as defined by the        Test function.    -   M Memory vector of Authentication chip. Part of this space        should be different for each chip (does not have to be a random        number).        Each Authentication Chip contains the following logical        functions:    -   F[X] Internal function only. Returns F_(K)[X], the result of        applying a one-way function F to X based upon either key K₁ or        key K₂    -   Random[ ] Returns R|F_(K1)[R].    -   Test[X, Y] Returns 1 and advances R if F_(K2)[R|X]=Y. Otherwise        returns 0. The time taken to return 0 must be identical for all        bad inputs.    -   Read[X, Y] Returns M|F_(K2)[X|M] if F_(K1)[X]=Y. Otherwise        returns 0. The time taken to return 0 must be identical for all        bad inputs.    -   Write[X] Writes X over those parts of M that can legitimately be        written over.

To authenticate ChipA 20 and read ChipA's memory M:

1. System 21 calls 50 ChipT's Random function;2. ChipT 23 produces R|F_(K)[R] and returns 51 these to System;3. System 21 calls 52 ChipA's Read function, passing in R, F_(K)[R];4. ChipA 20 returns 53 M and F_(K)[R|M];5. System 21 calls 54 ChipT's Test function, passing in M andF_(K)[R|M];6. System 21 checks response 55 from ChipT 23. If the response is 1,then ChipA 20 is considered authentic. If 0, ChipA 20 is consideredinvalid.

To authenticate a write of M_(new) to ChipA's memory M:

1. System calls ChipA's Write function, passing in M_(new);2. The authentication procedure for a Read is carried out;3. If ChipA is authentic and M_(new)=M, the write succeeded. Otherwiseit failed.

The data flow for read authentication is shown in FIG. 5.

The first thing to note about Protocol 3 is that F_(K)[X] cannot becalled directly. Instead F_(K)[X] is called indirectly by Random, Testand Read:

-   -   Random[ ] calls F_(K1)[X] X is not chosen by the caller. It is        chosen by the Random function. An attacker must perform a brute        force search using multiple calls to Random, Read, and Test to        obtain a desired X, F_(K1)[X] pair.    -   Test[X, Y] calls F_(K2)[R|X] Does not return result directly,        but compares the result to Y and then returns 1 or 0. Any        attempt to deduce K₂ by calling Test multiple times trying        different values of F_(K2)[R|X] for a given X is reduced to a        brute force search where R cannot even be chosen by the        attacker.    -   Read[X, Y] calls F_(K1)[X] X and F_(K1)[X] must be supplied by        caller, so the caller must already know the X, F_(K1)[X] pair.        Since the call returns 0 if Y≠F_(K1)[X], a caller can use the        Read function for a brute force attack on K₁.    -   Read[X, Y] calls F_(K2)[X|M], X is supplied by caller, however X        can only be those values already given out by the Random        function (since X and Y are validated via K₁). Thus a chosen        text attack must first collect pairs from Random (effectively a        brute force attack). In addition, only part of M can be used in        a chosen text attack since some of M is constant (read-only) and        the decrement-only part of M can only be used once per        consumable. In the next consumable the read-only part of M will        be different.        Having F_(K)[X] being called indirectly prevents chosen text        attacks on the Authentication Chip. Since an attacker can only        obtain a chosen R, F_(K1)[R] pair by calling Random, Read, and        Test multiple times until the desired R appears, a brute force        attack on K₁ is required in order to perform a limited chosen        text attack on K₂. Any attempt at a chosen text attack on K₂        would be limited since the text cannot be completely chosen:        parts of M are read-only, yet different for each Authentication        Chip. The second thing to note is that two keys are used. Given        the small size of M, two different keys K₁ and K₂ are used in        order to ensure there is no correlation between F[R] and F[R|M].        K₁ is therefore used to help protect K₂ against differential        attacks. It is not enough to use a single longer key since M is        only 256 bits, and only part of M changes during the lifetime of        the consumable. Otherwise it is potentially possible that an        attacker via some as-yet undiscovered technique, could determine        the effect of the limited changes in M to particular bit        combinations in R and thus calculate F_(K2)[X|M] based on        F_(K1)[X]. As an added precaution, the Random and Test functions        in ChipA should be disabled so that in order to generate R,        F_(K)[R] pairs, an attacker must use instances of ChipT, each of        which is more expensive than ChipA (since a system must be        obtained for each ChipT). Similarly, there should be a minimum        delay between calls to Random, Read and Test so that an attacker        cannot call these functions at high speed. Thus each chip can        only give a specific number of X, F_(K)[X] pairs away in a        certain time period. The only specific timing requirement of        Protocol 3 is that the return value of 0 (indicating a bad        input) must be produced in the same amount of time regardless of        where the error is in the input. Attackers can therefore not        learn anything about what was bad about the input value. This is        true for both RD and TST functions. Another thing to note about        Protocol 3 is that Reading data from ChipA also requires        authentication of ChipA. The System can be sure that the        contents of memory (M) is what ChipA claims it to be if        F_(K2)[R|M] is returned correctly. A clone chip may pretend that        M is a certain value (for example it may pretend that the        consumable is full), but it cannot return F_(K2)[R|M] for any R        passed in by System. Thus the effective signature F_(K2)[R|M]        assures System that not only did an authentic ChipA send M, but        also that M was not altered in between ChipA and System.        Finally, the Write function as defined does not authenticate the        Write. To authenticate a write, the System must perform a Read        after each Write. There are some basic advantages with Protocol        3:    -   K₁ and K₂ are not revealed during the authentication process    -   Given X, a clone chip cannot generate F_(K2)[X|M] without the        key or access to a real Authentication Chip.    -   System is easy to design, especially in low cost systems such as        ink-jet printers, as no encryption or decryption is required by        System itself.    -   A wide range of key based one-way functions exists, including        symmetric cryptography, random number sequences, and message        authentication codes.    -   Keyed one-way functions require fewer gates and are easier to        verify than asymmetric algorithms).    -   Secure key size for a keyed one-way function does not have to be        as large as for an asymmetric (public key) algorithm. A minimum        of 128 bits can provide appropriate security if F[X] is a        symmetric cryptographic function.        Consequently, with Protocol 3, the only way to authenticate        ChipA is to read the contents of ChipA's memory. The security of        this protocol depends on the underlying F_(K)[X] scheme and the        domain of R over the set of all Systems. Although F_(K)[X] can        be any keyed one-way function, there is no advantage to        implement it as asymmetric encryption. The keys need to be        longer and the encryption algorithm is more expensive in        silicon. This leads to a second protocol for use with asymmetric        algorithms—Protocol 4. Protocol 3 must be implemented with 2        Authentication Chips in order to keep the keys secure. This        means that each System requires an Authentication Chip and each        consumable requires an Authentication Chip

Protocol 4

In some cases, System may contain a large amount of processing power.Alternatively, for instances of systems that are manufactured in largequantities, integration of ChipT into System may be desirable. Use of anasymmetrical encryption algorithm can allow the ChipT portion of Systemto be insecure. Protocol 4 therefore, uses asymmetric cryptography. Forthis protocol, each chip contains the following values:

-   -   K Key for E_(K)[X] and D_(K)[X]. Must be secret in ChipA. Does        not have to be secret in ChipT.    -   R Current random number. Does not have to be secret, but must be        seeded with a different initial value for each chip instance.        Changes with each successful authentication as defined by the        Test function.    -   M Memory vector of Authentication chip. Part of this space        should be different for each chip, (does not have to be a random        number).        There is no point in verifying anything in the Read function,        since anyone can encrypt using a public key. Consequently the        following functions are defined:    -   E[X] Internal function only. Returns E_(K)[X] where E is        asymmetric encrypt function E.    -   D[X] Internal function only. Returns D_(K)[X] where D is        asymmetric decrypt function D.    -   Random[ ] ChipT only. Returns E_(K)[R].    -   Test[X, Y] Returns 1 and advances R if D_(K)[R|X]=Y. Otherwise        returns 0. The time taken to return 0 must be identical for all        bad inputs.    -   Read[X] Returns M|E_(K)[R|M] where R=D_(K)[X] (does not test        input).    -   Write[X] Writes X over those parts of M that can legitimately be        written over.

The public key K_(T) is in ChipT, while the secret key K_(A) is inChipA. Having K_(T) in ChipT has the advantage that ChipT can beimplemented in software or hardware (with the proviso that R is seededwith a different random number for each system).

To authenticate ChipA 20 and read ChipA's memory M:

1. System 21 calls 60 ChipT's Random function;2. ChipT 23 produces and returns 61 E_(KT)[R] to System;3. System 21 calls 62 ChipA's Read function, passing in E_(KT)[R];4. ChipA 20 returns 63 M|E_(KA)[R|M], first obtaining R byD_(KA)[E_(KT)[R]];5. System 21 calls 64 ChipT's Test function, passing in M andE_(KA)[R|M];6. ChipT 23 calculates D_(KT)[E_(KA)[R|M]] and compares it to R|M.7. System 21 checks response 65 from ChipT. If the response 65 is 1,then ChipA 20 is considered authentic. If 0, ChipA 20 is consideredinvalid.

To authenticate a write of M_(new) to ChipA's memory M:

1. System calls ChipA's Write function, passing in M_(new);2. The authentication procedure for a Read is carried out;3. If ChipA is authentic and M_(new)=M, the write succeeded. Otherwiseit failed.

The data flow for read authentication is shown in FIG. 6.

Only a valid ChipA would know the value of R, since R is not passed intothe Authenticate function (it is passed in as an encrypted value). Rmust be obtained by decrypting E[R], which can only be done using thesecret key K_(A). Once obtained, R must be appended to M and then theresult re-encoded. ChipT can then verify that the decoded form ofE_(KA)[R|M]=R|M and hence ChipA is valid. Since K_(T)≠K_(A),E_(KT)[R]≠E_(KA)[R]. Protocol 4 has the following advantages:

-   -   K_(A) (the secret key) is not revealed during the authentication        process    -   Given E_(KT)[X], a clone chip cannot generate X without K_(A) or        access to a real ChipA.    -   Since K_(T)≠K_(A), ChipT can be implemented completely in        software or in insecure hardware or as part of System. Only        ChipA is required to be a secure Authentication Chip.    -   Since ChipT and ChipA contain different keys, intense testing of        ChipT will reveal nothing about K_(A).    -   If ChipT is a physical chip, System is easy to design.    -   There are a number of well-documented and cryptanalyzed        asymmetric algorithms to chose from for implementation,        including patent-free and license-free solutions.    -   Even if System could be rewired so that ChipA requests were        directed to ChipT, ChipT could never answer for ChipA since        K_(T)≠K_(A). The attack would have to be directed at the System        ROM itself to bypass the Authentication protocol.

However, Protocol 4 has a number of disadvantages:

-   -   All Authentication Chips need to contain both asymmetric encrypt        and decrypt functionality. Consequently each chip is larger,        more complex, and more expensive than the chip required for        Protocol 3.    -   For satisfactory security, each key needs to be 2048 bits        (compared to a minimum of 128 bits for symmetric cryptography in        Protocol 1). The associated intermediate memory used by the        encryption and decryption algorithms is correspondingly larger.    -   Key generation is non-trivial. Random numbers are not good keys.    -   If ChipT is implemented as a core, there may be difficulties in        linking it into a given System ASIC.    -   If ChipT is implemented as software, not only is the        implementation of System open to programming error and        non-rigorous testing, but the integrity of the compiler and        mathematics primitives must be rigorously checked for each        implementation of System. This is more complicated and costly        than simply using a well-tested chip.    -   Although many symmetric algorithms are specifically strengthened        to be resistant to differential cryptanalysis (which is based on        chosen text attacks), the private key K_(A) is susceptible to a        chosen text attack    -   Protocol 4 Authentication Chips could not be exported from the        USA, since they would be considered strong encryption devices.        As with Protocol 3, the only specific timing requirement of        Protocol 4 is that the return value of 0 (indicating a bad        input) must be produced in the same amount of time regardless of        where the error is in the input. Attackers can therefore not        learn anything about what was bad about the input value. This is        true for both RD and TST functions.

Variation on Call to TST

If there are two Authentication Chips used, it is theoretically possiblefor a clone manufacturer to replace the System Authentication Chip withone that returns 1 (success) for each call to TST. The System can testfor this by calling TST a number of times—N times with a wrong hashvalue, and expect the result to be 0. The final time that TST is called,the true returned value from ChipA is passed, and the return value istrusted. The question then arises of how many times to call TST. Thenumber of calls must be random, so that a clone chip manufacturer cannotknow the number ahead of time. If System has a clock, bits from theclock can be used to determine how many false calls to TST should bemade. Otherwise the returned value from ChipA can be used. In the lattercase, an attacker could still rewire the System to permit a clone ChipTto view the returned value from ChipA, and thus know which hash value isthe correct one. The worst case of course, is that the System can becompletely replaced by a clone System that does not requireauthenticated consumables—this is the limit case of rewiring andchanging the System. For this reason, the variation on calls to TST isoptional, depending on the System, the Consumable, and how likelymodifications are to be made. Adding such logic to System (for examplein the case of a small desktop printer) may be considered notworthwhile, as the System is made more complicated. By contrast, addingsuch logic to a camera may be considered worthwhile.

Clone Consumable using Real Authentication Chip

It is important to decrement the amount of consumable remaining beforeuse that consumable portion. If the consumable is used first, a cloneconsumable could fake a loss of contact during a write to the specialknown address and then appear as a fresh new consumable. It is importantto note that this attack still requires a real Authentication Chip ineach consumable.

Longevity of Key

A general problem of these two protocols is that once the authenticationkeys are chosen, it cannot easily be changed. In some instances akey-compromise is not a problem, while for others a key compromise isdisastrous.

Choosing a Protocol

Even if the choice of keys for Protocols 2 and 4 was straightforward,both protocols are impractical at the present time due to the high costof silicon implementation (both due to key size and functionalimplementation). Therefore Protocols 1 and 3 are the two protocols ofchoice. However, Protocols 1 and 3 contain much of the same components:

-   -   both require read and write access;    -   both require implementation of a keyed one-way function; and    -   both require random number generation functionality.        Protocol 3 requires an additional key (K₂), as well as some        minimal state machine changes:    -   a state machine alteration to enable F_(K1)[X] to be called        during Random;    -   a Test function which calls F_(K2)[X]    -   a state machine alteration to the Read function to call        F_(K1)[X] and F_(K2)[X] Protocol 3 only requires minimal changes        over Protocol 1. It is more secure and can be used in all places        where Presence Only Authentication is required (Protocol 1). It        is therefore the protocol of choice. Given that Protocols 1 and        3 both make use of keyed one-way functions, the choice of        one-way function is examined in more detail here. The following        table outlines the attributes of the applicable choices. The        attributes are worded so that the attribute is seen as an        advantage.

Triple DES Blowfish RC5 IDEA Random Sequences HMAC-MD5 HMAC-SHA1HMAC-RIPEMD160 Free of patents • • • • • • Random key generation • • •Can be exported from the • • • • USA Fast • • • • Preferred Key Size(bits) for 168 128 128 128 512 128 160 160 use in this application Blocksize (bits)  64  64  64  64 256 512 512 512 Cryptanalysis Attack-Free •• • • • (apart from weak keys) Output size given input size N ≧N ≧N ≧N≧N 128 128 160 160 Low storage requirements • • • • Low siliconcomplexity • • • • NSA designed • •An examination of the table shows that the choice is effectively betweenthe 3 HMAC constructs and the Random Sequence. The problem of key sizeand key generation eliminates the Random Sequence. Given that a numberof attacks have already been carried out on MD5 and since the hashresult is only 128 bits, HMAC-MD5 is also eliminated. The choice istherefore between HMAC-SHA1 and HMAC-RIPEMD160. RIPEMD-160 is relativelynew, and has not been as extensively cryptanalyzed as SHA1. However,SHA-1 was designed by the NSA, so this may be seen by some as a negativeattribute. Given that there is not much between the two, SHA-1 will beused for the HMAC construct.

Choosing A Random Number Generator

Each of the protocols described (1-4) requires a random numbergenerator. The generator must be “good” in the sense that the randomnumbers generated over the life of all Systems cannot be predicted. Ifthe random numbers were the same for each System, an attacker couldeasily record the correct responses from a real Authentication Chip, andplace the responses into a ROM lookup for a clone chip. With such anattack there is no need to obtain K₁ or K₂. Therefore the random numbersfrom each System must be different enough to be unpredictable, ornon-deterministic. As such, the initial value for R (the random seed)should be programmed with a physically generated random number gatheredfrom a physically random phenomenon, one where there is no informationabout whether a particular bit will be 1 or 0. The seed for R must NOTbe generated with a computer-run random number generator. Otherwise thegenerator algorithm and seed may be compromised enabling an attacker togenerate and therefore know the set of all R values in all Systems.

Having a different R seed in each Authentication Chip means that thefirst R will be both random and unpredictable across all chips. Thequestion therefore arises of how to generate subsequent R values in eachchip.

The base case is not to change R at all. Consequently R and F_(K1)[R]will be the same for each call to Random[ ]. If they are the same, thenF_(K1)[R] can be a constant rather than calculated. An attacker couldthen use a single valid Authentication Chip to generate a valid lookuptable, and then use that lookup table in a clone chip programmedespecially for that System. A constant R is not secure.

The simplest conceptual method of changing R is to increment it by 1.Since R is random to begin with, the values across differing systems arestill likely to be random. However given an initial R, all subsequent Rvalues can be determined directly (there is no need to iterate 10,000times—R will take on values from R₀ to R₀+10000). An incrementing R isimmune to the earlier attack on a constant R. Since R is alwaysdifferent, there is no way to construct a lookup table for theparticular System without wasting as many real Authentication Chips asthe clone chip will replace.

Rather than increment using an adder, another way of changing R is toimplement it as an LFSR (Linear Feedback Shift Register). This has theadvantage of less silicon than an adder, but the advantage of anattacker not being able to directly determine the range of R for aparticular System, since an LFSR value-domain is determined bysequential access. To determine which values an given initial R willgenerate, an attacker must iterate through the possibilities andenumerate them. The advantages of a changing R are also evident in theLFSR solution. Since R is always different, there is no way to constructa lookup table for the particular System without using-up as many realAuthentication Chips as the clone chip will replace (and only for thatSystem). There is therefore no advantage in having a more complexfunction to change R. Regardless of the function, it will always bepossible for an attacker to iterate through the lifetime set of valuesin a simulation. The primary security lies in the initial randomness ofR. Using an LFSR to change R (apart from using less silicon than anadder) simply has the advantage of not being restricted to a consecutivenumeric range (i.e. knowing R, R_(N) cannot be directly calculated; anattacker must iterate through the LFSR N times).

The Random number generator 70 within the Authentication Chip istherefore an LFSR 71 with 160 bits and four taps 72, 73, 74 and 75,which feed an exclusive-OR gate 76, which in turn feeds back 77 tobit₁₅₉. Tap selection of the 160 bits for a maximal-period LFSR (i.e.the LFSR will cycle through all 2¹⁶⁰-1 states, 0 is not a valid state)yields bits 5, 3, 2, and 0, as shown in FIG. 7. The LFSR is sparse, inthat not many bits are used for feedback (only 4 out of 160 bits areused). This is a problem for cryptographic applications, but not forthis application of non-sequential number generation. The 160-bit seedvalue for R can be any random number except 0, since an LFSR filled with0s will produce a never-ending stream of 0s. Since the LFSR described isa maximal period LFSR, all 160 bits can be used directly as R. There isno need to construct a number sequentially from output bits of b₀. Aftereach successful call to TST, the random number (R) must be advanced byXORing bits 1, 2, 4, and 159, and shifting the result into the highorder bit. The new R and corresponding F_(K1)[R] can be retrieved on thenext call to Random.

Holding out Against Logical Attacks

Protocol 3 is the authentication scheme used by the Authentication Chip.As such, it should be resistant to defeat by logical means. While theeffect of various types of attacks on Protocol 3 have been mentioned indiscussion, this section details each type of attack in turn withreference to Protocol 3.

Brute Force Attack

A Brute Force attack is guaranteed to break Protocol 3. However thelength of the key means that the time for an attacker to perform a bruteforce attack is too long to be worth the effort. An attacker only needsto break K₂ to build a clone Authentication Chip. K₁ is merely presentto strengthen K₂ against other forms of attack. A Brute Force Attack onK₂ must therefore break a 160-bit key. An attack against K₂ requires amaximum of 2¹⁶⁰ attempts, with a 50% chance of finding the key afteronly 2¹⁵⁹ attempts. Assuming an array of a trillion processors, eachrunning one million tests per second, 2¹⁵⁹ (7.3×10⁴⁷) tests takes2.3×10²³ years, which is longer than the lifetime of the universe. Thereare only 100 million personal computers in the world. Even if these wereall connected in an attack (e.g. via the Internet), this number is still10,000 times smaller than the trillion-processor attack described.Further, if the manufacture of one trillion processors becomes apossibility in the age of nanocomputers, the time taken to obtain thekey is longer than the lifetime of the universe.

Guessing the Key Attack

It is theoretically possible that an attacker can simply “guess thekey”. In fact, given enough time, and trying every possible number, anattacker will obtain the key. This is identical to the Brute Forceattack described above, where 2¹⁵⁹ attempts must be made before a 50%chance of success is obtained. The chances of someone simply guessingthe key on the first try is 2¹⁶⁰. For comparison, the chance of someonewinning the top prize in a U.S. state lottery and being killed bylightning in the same day is only 1 in 2⁶¹. The chance of someoneguessing the Authentication Chip key on the first go is 1 in 2¹⁶⁰, whichis comparative to two people choosing exactly the same atoms from achoice of all the atoms in the Earth i.e. extremely unlikely.

Quantum Computer Attack

To break K₂, a quantum computer containing 160 qubits embedded in anappropriate algorithm must be built. An attack against a 160-bit key isnot feasible. An outside estimate of the possibility of quantumcomputers is that 50 qubits may be achievable within 50 years. Evenusing a 50 qubit quantum computer, 2¹¹⁰ tests are required to crack a160 bit key. Assuming an array of 1 billion 50 qubit quantum computers,each able to try 2⁵⁰ keys in 1 microsecond (beyond the current wildestestimates) finding the key would take an average of 18 billion years.

Cyphertext Only Attack

An attacker can launch a Cyphertext Only attack on K₁ by callingmonitoring calls to RND and RD, and on K₂ by monitoring calls to RD andTST. However, given that all these calls also reveal the plaintext aswell as the hashed form of the plaintext, the attack would betransformed into a stronger form of attack—a Known Plaintext attack.

Known Plaintext Attack

It is easy to connect a logic analyzer to the connection between theSystem and the Authentication Chip, and thereby monitor the flow ofdata. This flow of data results in known plaintext and the hashed formof the plaintext, which can therefore be used to launch a KnownPlaintext attack against both K₁ and K₂. To launch an attack against K₁,multiple calls to RND and TST must be made (with the call to TST beingsuccessful, and therefore requiring a call to RD on a valid chip). Thisis straightforward, requiring the attacker to have both a SystemAuthentication Chip and a Consumable Authentication Chip. For each K₁ X,H_(K1)[X] pair revealed, a K₂ Y, H_(K2)[Y] pair is also revealed. Theattacker must collect these pairs for further analysis. The questionarises of how many pairs must be collected for a meaningful attack to belaunched with this data. An example of an attack that requirescollection of data for statistical analysis is DifferentialCryptanalysis. However, there are no known attacks against SHA-1 orHMAC-SHA1, so there is no use for the collected data at this time.

Chosen Plaintext Attacks

Given that the cryptanalyst has the ability to modify subsequent chosenplaintexts based upon the results of previous experiments, K₂ is open toa partial form of the Adaptive Chosen Plaintext attack, which iscertainly a stronger form of attack than a simple Chosen Plaintextattack. A chosen plaintext attack is not possible against K₁, sincethere is no way for a caller to modify R, which used as input to the RNDfunction (the only function to provide the result of hashing with K₁).Clearing R also has the effect of clearing the keys, so is not useful,and the SSI command calls CLR before storing the new R-value.

Adaptive Chosen Plaintext Attacks

This kind of attack is not possible against K₁, since K₁ is notsusceptible to chosen plaintext attacks. However, a partial form of thisattack is possible against K₂, especially since both System andconsumables are typically available to the attacker (the System may notbe available to the attacker in some instances, such as a specific car).The HMAC construct provides security against all forms of chosenplaintext attacks. This is primarily because the HMAC construct has 2secret input variables (the result of the original hash, and the secretkey). Thus finding collisions in the hash function itself when the inputvariable is secret is even harder than finding collisions in the plainhash function. This is because the former requires direct access toSHA-1 (not permitted in Protocol 3) in order to generate pairs ofinput/output from SHA-1. The only values that can be collected by anattacker are HMAC[R] and HMAC[R|M]. These are not attacks against theSHA-1 hash function itself, and reduce the attack to a DifferentialCryptanalysis attack, examining statistical differences betweencollected data. Given that there is no Differential Cryptanalysis attackknown against SHA-1 or HMAC, Protocol 3 is resistant to the AdaptiveChosen Plaintext attacks.

Purposeful Error Attack

An attacker can only launch a Purposeful Error Attack on the TST and RDfunctions, since these are the only functions that validate inputagainst the keys. With both the TST and RD functions, a 0 value isproduced if an error is found in the input—no further information isgiven. In addition, the time taken to produce the 0 result isindependent of the input, giving the attacker no information about whichbit(s) were wrong. A Purposeful Error Attack is therefore fruitless.

Chaining Attack

Any form of chaining attack assumes that the message to be hashed isover several blocks, or the input variables can somehow be set. TheHMAC-SHA1 algorithm used by Protocol 3 only ever hashes a single 512-bitblock at a time. Consequently chaining attacks are not possible againstProtocol 3.

Birthday Attack

The strongest attack known against HMAC is the birthday attack, based onthe frequency of collisions for the hash function. However this istotally impractical for minimally reasonable hash functions such asSHA-1. And the birthday attack is only possible when the attacker hascontrol over the message that is signed. Protocol 3 uses hashing as aform of digital signature. The System sends a number that must beincorporated into the response from a valid Authentication Chip. Sincethe Authentication Chip must respond with H[R|M], but has no controlover the input value R, the birthday attack is not possible. This isbecause the message has effectively already been generated and signed.An attacker must instead search for a collision message that hashes tothe same value (analogous to finding one person who shares yourbirthday). The clone chip must therefore attempt to find a new value R₂such that the hash of R₂ and a chosen M₂ yields the same hash value asH[R|M]. However the System Authentication Chip does not reveal thecorrect hash value (the TST function only returns 1 or 0 depending onwhether the hash value is correct). Therefore the only way of findingout the correct hash value (in order to find a collision) is tointerrogate a real Authentication Chip. But to find the correct valuemeans to update M, and since the decrement-only parts of M are one-way,and the read-only parts of M cannot be changed, a clone consumable wouldhave to update a real consumable before attempting to find a collision.The alternative is a Brute Force attack search on the TST function tofind a success (requiring each clone consumable to have access to aSystem consumable). A Brute Force Search, as described above, takeslonger than the lifetime of the universe, in this case, perauthentication. Due to the fact that a timely gathering of a hash valueimplies a real consumable must be decremented, there is no point for aclone consumable to launch this kind of attack.

Substitution with a Complete Lookup Table

The random number seed in each System is 160 bits. The worst casesituation for an Authentication Chip is that no state data is changed.Consequently there is a constant value returned as M. However a clonechip must still return F_(K2)[R|M], which is a 160 bit value. Assuming a160-bit lookup of a 160-bit result, this requires 7.3×10⁴⁸ bytes, or6.6×10³⁶ terabytes, certainly more space than is feasible for the nearfuture. This of course does not even take into account the method ofcollecting the values for the ROM. A complete lookup table is thereforecompletely impossible.

Substitution with a Sparse Lookup Table

A sparse lookup table is only feasible if the messages sent to theAuthentication Chip are somehow predictable, rather than effectivelyrandom. The random number R is seeded with an unknown random number,gathered from a naturally random event. There is no possibility for aclone manufacturer to know what the possible range of R is for allSystems, since each bit has a 50% chance of being a 1 or a 0. Since therange of R in all systems is unknown, it is not possible to build asparse lookup table that can be used in all systems. The general sparselookup table is therefore not a possible attack. However, it is possiblefor a clone manufacturer to know what the range of R is for a givenSystem. This can be accomplished by loading a LFSR with the currentresult from a call to a specific System Authentication Chip's RNDfunction, and iterating some number of times into the future. If this isdone, a special ROM can be built which will only contain the responsesfor that particular range of R, i.e. a ROM specifically for theconsumables of that particular System. But the attacker still needs toplace correct information in the ROM. The attacker will therefore needto find a valid Authentication Chip and call it for each of the valuesin R.

Suppose the clone Authentication Chip reports a full consumable, andthen allows a single use before simulating loss of connection andinsertion of a new full consumable. The clone consumable would thereforeneed to contain responses for authentication of a full consumable andauthentication of a partially used consumable. The worst case ROMcontains entries for full and partially used consumables for R over thelifetime of System. However, a valid Authentication Chip must be used togenerate the information, and be partially used in the process. If agiven System only produces about n R-values, the sparse lookup-ROMrequired is 10n bytes multiplied by the number of different values forM. The time taken to build the ROM depends on the amount of timeenforced between calls to RD. After all this, the clone manufacturermust rely on the consumer returning for a refill, since the cost ofbuilding the ROM in the first place consumes a single consumable. Theclone manufacturer's business in such a situation is consequently in therefills. The time and cost then, depends on the size of R and the numberof different values for M that must be incorporated in the lookup. Inaddition, a custom clone consumable ROM must be built to match each andevery System, and a different valid Authentication Chip must be used foreach System (in order to provide the full and partially used data). Theuse of an Authentication Chip in a System must therefore be examined todetermine whether or not this kind of attack is worthwhile for a clonemanufacturer. As an example, of a camera system that has about 10,000prints in its lifetime. Assume it has a single Decrement Only value(number of prints remaining), and a delay of 1 second between calls toRD. In such a system, the sparse table will take about 3 hours to build,and consumes 100K. Remember that the construction of the ROM requiresthe consumption of a valid Authentication Chip, so any money chargedmust be worth more than a single consumable and the clone consumablecombined. Thus it is not cost effective to perform this function for asingle consumable (unless the clone consumable somehow contained theequivalent of multiple authentic consumables). If a clone manufactureris going to go to the trouble of building a custom ROM for each owner ofa System, an easier approach would be to update System to completelyignore the Authentication Chip.

Consequently, this attack is possible as a per-System attack, and adecision must be made about the chance of this occurring for a givenSystem/Consumable combination. The chance will depend on the cost of theconsumable and Authentication Chips, the longevity of the consumable,the profit margin on the consumable, the time taken to generate the ROM,the size of the resultant ROM, and whether customers will come back tothe clone manufacturer for refills that use the same clone chip etc.

Differential Cryptanalysis

Existing differential attacks are heavily dependent on the structure ofS boxes, as used in DES and other similar algorithms. Although otheralgorithms such as HMAC-SHA1 used in Protocol 3 have no S boxes, anattacker can undertake a differential-like attack by undertakingstatistical analysis of:

-   -   Minimal-difference inputs, and their corresponding outputs    -   Minimal-difference outputs, and their corresponding inputs        To launch an attack of this nature, sets of input/output pairs        must be collected. The collection from Protocol 3 can be via        Known Plaintext, or from a Partially Adaptive Chosen Plaintext        attack. Obviously the latter, being chosen, will be more useful.        Hashing algorithms in general are designed to be resistant to        differential analysis. SHA-1 in particular has been specifically        strengthened, especially by the 80 word expansion so that        minimal differences in input produce will still produce outputs        that vary in a larger number of bit positions (compared to 128        bit hash functions). In addition, the information collected is        not a direct SHA-1 input/output set, due to the nature of the        HMAC algorithm. The HMAC algorithm hashes a known value with an        unknown value (the key), and the result of this hash is then        rehashed with a separate unknown value. Since the attacker does        not know the secret value, nor the result of the first hash, the        inputs and outputs from SHA-1 are not known, making any        differential attack extremely difficult. The following is a more        detailed discussion of minimally different inputs and outputs        from the Authentication Chip.

Minimal Difference Inputs

This is where an attacker takes a set of X, F_(K)[X] values where the Xvalues are minimally different, and examines the statistical differencesbetween the outputs F_(K)[X]. The attack relies on X values that onlydiffer by a minimal number of bits. The question then arises as to howto obtain minimally different X values in order to compare the F_(K)[X]values.

K₁: With K₁, the attacker needs to statistically examine minimallydifferent X, F_(K1)[X] pairs. However the attacker cannot choose any Xvalue and obtain a related F_(K1)[X] value. Since X, F_(K1)[X] pairs canonly be generated by calling the RND function on a System AuthenticationChip, the attacker must call RND multiple times, recording each observedpair in a table. A search must then be made through the observed valuesfor enough minimally different X values to undertake a statisticalanalysis of the F_(K1)[X] values.

K₂: With K₂, the attacker needs to statistically examine minimallydifferent X, F_(K2)[X] pairs. The only way of generating X, F_(K2)[X]pairs is via the RD function, which produces F_(K2)[X] for a given Y,F_(K1)[Y] pair, where X=Y|M. This means that Y and the changeable partof M can be chosen to a limited extent by an attacker. The amount ofchoice must therefore be limited as much as possible.

The first way of limiting an attacker's choice is to limit Y, since RDrequires an input of the format Y, F_(K1)[Y]. Although a valid pair canbe readily obtained from the RND function, it is a pair of RND'schoosing. An attacker can only provide their own Y if they have obtainedthe appropriate pair from RND, or if they know K₁. Obtaining theappropriate pair from RND requires a Brute Force search. Knowing K₁ isonly logically possible by performing cryptanalysis on pairs obtainedfrom the RND function—effectively a known text attack. Although RND canonly be called so many times per second, K₁ is common across Systemchips. Therefore known pairs can be generated in parallel.

The second way to limit an attacker's choice is to limit M, or at leastthe attacker's ability to choose M. The limiting of M is done by makingsome parts of M Read Only, yet different for each Authentication Chip,and other parts of M Decrement Only. The Read Only parts of M shouldideally be different for each Authentication Chip, so could beinformation such as serial numbers, batch numbers, or random numbers.The Decrement Only parts of M mean that for an attacker to try adifferent M, they can only decrement those parts of M so manytimes—after the Decrement Only parts of M have been reduced to 0 thoseparts cannot be changed again. Obtaining a new Authentication chipprovides a new M, but the Read Only portions will be different from theprevious Authentication Chip's Read Only portions, thus reducing anattacker's ability to choose M even further. Consequently an attackercan only gain a limited number of chances at choosing values for Y andM.

Minimal Difference Outputs

This is where an attacker takes a set of X, F_(K)[X] values where theF_(K)[X] values are minimally different, and examines the statisticaldifferences between the X values. The attack relies on F_(K)[X] valuesthat only differ by a minimal number of bits. For both K₁ and K₂, thereis no way for an attacker to generate an X value for a given F_(K)[X].To do so would violate the fact that F is a one-way function.Consequently the only way for an attacker to mount an attack of thisnature is to record all observed X, F_(K)[X] pairs in a table. A searchmust then be made through the observed values for enough minimallydifferent F_(K)[X] values to undertake a statistical analysis of the Xvalues. Given that this requires more work than a minimally differentinput attack (which is extremely limited due to the restriction on M andthe choice of R), this attack is not fruitful.

Message Substitution Attacks

In order for this kind of attack to be carried out, a clone consumablemust contain a real Authentication chip, but one that is effectivelyreusable since it never gets decremented. The clone Authentication Chipwould intercept messages, and substitute its own. However this attackdoes not give success to the attacker. A clone Authentication Chip maychoose not to pass on a WR command to the real Authentication Chip.However the subsequent RD command must return the correct response (asif the WR had succeeded). To return the correct response, the hash valuemust be known for the specific R and M. As described in the BirthdayAttack section, an attacker can only determine the hash value byactually updating M in a real Chip, which the attacker does not want todo. Even changing the R sent by System does not help since the SystemAuthentication Chip must match the R during a subsequent TST. A Messagesubstitution attack would therefore be unsuccessful. This is only trueif System updates the amount of consumable remaining before it is used.

Reverse Engineering the Key Generator

If a pseudo-random number generator is used to generate keys, there isthe potential for a clone manufacture to obtain the generator program orto deduce the random seed used. This was the way in which the Netscapesecurity program was initially broken.

Bypassing Authentication Altogether

Protocol 3 requires the System to update the consumable state databefore the consumable is used, and follow every write by a read (toauthenticate the write). Thus each use of the consumable requires anauthentication. If the System adheres to these two simple rules, a clonemanufacturer will have to simulate authentication via a method above(such as sparse ROM lookup).

Reuse of Authentication Chips

As described above, Protocol 3 requires the System to update theconsumable state data before the consumable is used, and follow everywrite by a read (to authenticate the write). Thus each use of theconsumable requires an authentication. If a consumable has been used up,then its Authentication Chip will have had the appropriate state-datavalues decremented to 0. The chip can therefore not be used in anotherconsumable. Note that this only holds true for Authentication Chips thathold Decrement-Only data items. If there is no state data decrementedwith each usage, there is nothing stopping the reuse of the chip. Thisis the basic difference between Presence-Only Authentication andConsumable Lifetime Authentication. Protocol 3 allows both. The bottomline is that if a consumable has Decrement Only data items that are usedby the System, the Authentication Chip cannot be reused without beingcompletely reprogrammed by a valid Programming Station that hasknowledge of the secret key.

Management Decision to Omit Authentication to Save Costs

Although not strictly an external attack, a decision to omitauthentication in future Systems in order to save costs will have widelyvarying effects on different markets. In the case of high volumeconsumables, it is essential to remember that it is very difficult tointroduce authentication after the market has started, as systemsrequiring authenticated consumables will not work with older consumablesstill in circulation. Likewise, it is impractical to discontinueauthentication at any stage, as older Systems will not work with thenew, unauthenticated, consumables. In the second case, older Systems canbe individually altered by replacing the System Authentication Chip by asimple chip that has the same programming interface, but whose TSTfunction always succeeds. Of course the System may be programmed to testfor an always-succeeding TST function, and shut down. In the case of aspecialized pairing, such as a car/car-keys, or door/door-key, or someother similar situation, the omission of authentication in futuresystems is trivial and non-repercussive. This is because the consumer issold the entire set of System and Consumable Authentication Chips at theone time.

Garrote/Bribe Attack

This form of attack is only successful in one of two circumstances:

-   -   K₁, K₂, and R are already recorded by the chip-programmer, or    -   the attacker can coerce future values of K₁, K₂, and R to be        recorded.        If humans or computer systems external to the Programming        Station do not know the keys, there is no amount of force or        bribery that can reveal them. The level of security against this        kind of attack is ultimately a decision for the        System/Consumable owner, to be made according to the desired        level of service. For example, a car company may wish to keep a        record of all keys manufactured, so that a person can request a        new key to be made for their car. However this allows the        potential compromise of the entire key database, allowing an        attacker to make keys for any of the manufacturer's existing        cars. It does not allow an attacker to make keys for any new        cars. Of course, the key database itself may also be encrypted        with a further key that requires a certain number of people to        combine their key portions together for access. If no record is        kept of which key is used in a particular car, there is no way        to make additional keys should one become lost. Thus an owner        will have to replace his car's Authentication Chip and all his        car-keys. This is not necessarily a bad situation. By contrast,        in a consumable such as a printer ink cartridge, the one key        combination is used for all Systems and all consumables.        Certainly if no backup of the keys is kept, there is no human        with knowledge of the key, and therefore no attack is possible.        However, a no-backup situation is not desirable for a consumable        such as ink cartridges, since if the key is lost no more        consumables can be made. The manufacturer should therefore keep        a backup of the key information in several parts, where a        certain number of people must together combine their portions to        reveal the full key information. This may be required if case        the chip programming station needs to be reloaded. In any case,        none of these attacks are against Protocol 3 itself, since no        humans are involved in the authentication process. Instead, it        is an attack against the programming stage of the chips.

HMAC-SHA1

The mechanism for authentication is the HMAC-SHA1 algorithm, acting onone of:

-   -   HMAC-SHA1(R, K₁), or    -   HMAC-SHA1(R|M, K₂)        We will now examine the HMAC-SHA1 algorithm in greater detail        than covered so far, and describes an optimization of the        algorithm that requires fewer memory resources than the original        definition.

HMAC

The HMAC algorithm proceeds, given the following definitions:

-   -   H=the hash function (e.g. MD5 or SHA-1)    -   n=number of bits output from H (e.g. 160 for SHA-1, 128 bits for        MD5)    -   M=the data to which the MAC function is to be applied    -   K=the secret key shared by the two parties    -   ipad=0x36 repeated 64 times    -   opad=0x5C repeated 64 times

The HMAC algorithm is as follows:

-   -   1. Extend K to 64 bytes by appending 0x00 bytes to the end of K    -   2. XOR the 64 byte string created in (1) with ipad    -   3. Append data stream M to the 64 byte string created in (2)    -   4. Apply H to the stream generated in (3)    -   5. XOR the 64 byte string created in (1) with opad    -   6. Append the H result from (4) to the 64 byte string resulting        from (5)    -   7. Apply H to the output of (6) and output the result

Thus:

HMAC[M]=H[(K⊕opad)|H[(K⊕ipad)|M]]

HMAC-SHA1 algorithm is simply HMAC with H=SHA-1.

SHA-1

The SHA1 hashing algorithm is defined in the algorithm as summarizedhere.

Nine 32-bit constants are defined. There are 5 constants used toinitialize the chaining variables, and there are 4 additive constants.

Initial Chaining Values Additive Constants h₁ 0x67452301 y₁ 0x5A827999h₂ 0xEFCDAB89 y₂ 0x6ED9EBA1 h₃ 0x98BADCFE y₃ 0x8F1BBCDC h₄ 0x10325476 y₄0xCA62C1D6 h₅ 0xC3D2E1F0Non-optimized SHA-1 requires a total of 2912 bits of data storage:

-   -   Five 32-bit chaining variables are defined: H₁, H₂, H₃, H₄ and        H₅.    -   Five 32-bit working variables are defined: A, B, C, D, and E.    -   One 32-bit temporary variable is defined: t.    -   Eighty 32-bit temporary registers are defined: X₀₋₇₉.        The following functions are defined for SHA-1:

Symbolic Nomenclature Description + Addition modulo 2³² X

Y Result of rotating X left through Y bit positions f(X, Y, Z) (X

Y)

(~X

Z) g(X, Y, Z) (X

Y)

(X

Z)

(Y

Z) h(X, Y, Z) X ⊕ Y ⊕ ZThe hashing algorithm consists of firstly padding the input message tobe a multiple of 512 bits and initializing the chaining variables H₁₋₅with h₁₋₅. The padded message is then processed in 512-bit chunks, withthe output hash value being the final 160-bit value given by theconcatenation of the chaining variables: H₁|H₂|H₃|H₄|H₅. The steps ofthe SHA-1 algorithm are now examined in greater detail.

Step 1. Preprocessing

The first step of SHA-1 is to pad the input message to be a multiple of512 bits as follows and to initialize the chaining variables.

Steps to follow to preprocess the input message Pad the input Append a 1bit to the message message Append 0 bits such that the length of thepadded message is 64-bits short of a multiple of 512 bits. Append a64-bit value containing the length in bits of the original inputmessage. Store the length as most significant bit through to leastsignificant bit. Initialize the H₁ ← h₁, H₂ ← h₂, H₃ ← h₃, H₄ ← h₄, H₅ ←h₅ chaining variables

Step 2. Processing

The padded input message can now be processed. We process the message in512-bit blocks. Each 512-bit block is in the form of 16×32-bit words,referred to as InputWord₀₋₁₅.

Steps to follow for each 512 bit block (InputWord₀₋₁₅) Copy the 512input For j = 0 to 15 bits into X₀₋₁₅ X_(j) = InputWord_(j) Expand X₀₋₁₅For j = 16 to 79 into X₁₆₋₇₉ X_(j) ← ((X_(j−3) ⊕ X_(j−8) ⊕ X_(j−14) ⊕X_(j−16))

1) Initialize working A ← H₁, B ← H₂, C ← H₃, D ← H₄, E ← H₅ variablesRound 1 For j = 0 to 19 t ← ((A

5) + f(B, C, D) + E + X_(j) + y₁) E ← D, D ← C, C ← (B

30), B ← A, A ← t Round 2 For j = 20 to 39 t ← ((A

5) + h(B, C, D) + E + X_(j) + y₂) E ← D, D ← C, C ← (B

30), B ← A, A ← t Round 3 For j = 40 to 59 t ← ((A

5) + g(B, C, D) + E + X_(j) + y₃) E ← D, D ← C, C ← (B

30), B ← A, A ← t Round 4 For j = 60 to 79 t ← ((A

5) + h(B, C, D) + E + X_(j) + y₄) E ← D, D ← C, C ← (B

30), B ← A, A ← t Update chaining H₁ ← H₁ + A, H₂ ← H₂ + B, variables H₃← H₃ + C, H₄ ← H₄ + D, H₅ ← H₅ + E

Step 3. Completion

After all the 512-bit blocks of the padded input message have beenprocessed, the output hash value is the final 160-bit value given by:H₁|H₂|H₃|H₄|H₅.

Optimization for Hardware Implementation

The SHA-1 Step 2 procedure is not optimized for hardware. In particular,the 80 temporary 32-bit registers use up valuable silicon on a hardwareimplementation. This section describes an optimization to the SHA-1algorithm that only uses 16 temporary registers. The reduction insilicon is from 2560 bits down to 512 bits, a saving of over 2000 bits.It may not be important in some applications, but in the AuthenticationChip storage space must be reduced where possible. The optimization isbased on the fact that although the original 16-word message block isexpanded into an 80-word message block, the 80 words are not updatedduring the algorithm. In addition, the words rely on the previous 16words only, and hence the expanded words can be calculated on-the-flyduring processing, as long as we keep 16 words for the backwardreferences. We require rotating counters to keep track of which registerwe are up to using, but the effect is to save a large amount of storage.Rather than index X by a single value j, we use a 5 bit counter to countthrough the iterations. This can be achieved by initializing a 5-bitregister with either 16 or 20, and decrementing it until it reaches 0.In order to update the 16 temporary variables as if they were 80, werequire 4 indexes, each a 4-bit register. All 4 indexes increment (withwraparound) during the course of the algorithm.

Steps to follow for each 512 bit block (InputWord₀₋₁₅) Initializeworking A ← H₁, B ← H₂, C ← H₃, D ← H₄, E ← H₅ variables N₁ ← 13, N₂ ←8, N₃ ← 2, N₄ ← 0 Round 0 Do 16 times: Copy the 512 input X_(N4) =InputWord_(N4) bits into X₀₋₁₅ [

N₁,

N₂,

N₃]_(optional)

N₄ Round 1A Do 16 times: t ← ((A

5) + f(B, C, D) + E + X_(N4) + y₁) [

N₁,

N₂,

N₃]_(optional)

N₄ E ← D, D ← C, C ← (B

30), B ← A, A ← t Round 1B Do 4 times: X_(N4) ← ((X_(N1) ⊕ X_(N2) ⊕X_(N3) ⊕ X_(N4))

1) t ← ((A

5) + f(B, C, D) + E + X_(N4) + y₁)

N₁,

N₂,

N₃,

N₄ E ← D, D ← C, C ← (B

30), B ← A, A ← t Round 2 Do 20 times: X_(N4) ← ((X_(N1) ⊕ X_(N2) ⊕X_(N3) ⊕ X_(N4))

1) t ← ((A

5) + h(B, C, D) + E + X_(N4) + y₂)

N₁,

N₂,

N₃,

N₄ E ← D, D ← C, C ← (B

30), B ← A, A ← t Round 3 Do 20 times: X_(N4) ← ((X_(N1) ⊕ X_(N2) ⊕X_(N3) ⊕ X_(N4))

1) t ← ((A

5) + g(B, C, D) + E + X_(N4) + y₃)

N₁,

N₂,

N₃,

N₄ E ← D, D ← C, C ← (B

30), B ← A, A ← t Round 4 Do 20 times: X_(N4) ← ((X_(N1) ⊕ X_(N2) ⊕X_(N3) ⊕ X_(N4))

1) t ← ((A

5) + h(B, C, D) + E + X_(N4) + y₄)

N₁,

N₂,

N₃,

N₄ E ← D, D ← C, C ← (B

30), B ← A, A ← t Update chaining H₁ ← H₁ + A, H₂ ← H₂ + B, variables H₃← H₃ + C, H₄ ← H₄ + D, H₅ ← H₅ + EThe incrementing of N₁, N₂, and N₃ during Rounds 0 and 1A is optional. Asoftware implementation would not increment them, since it takes time,and at the end of the 16 times through the loop, all 4 counters will betheir original values. Designers of hardware may wish to increment all 4counters together to save on control logic. Round 0 can be completelyomitted if the caller loads the 512 bits of X₀₋₁₅.

HMAC-SHA1

In the Authentication Chip implementation, the HMAC-SHA1 unit only everperforms hashing on two types of inputs: on R using K₁ and on R|M usingK₂. Since the inputs are two constant lengths, rather than have HMAC andSHA-1 as separate entities on chip, they can be combined and thehardware optimized. The padding of messages in SHA-1 Step 1 (a 1 bit, astring of 0 bits, and the length of the message) is necessary to ensurethat different messages will not look the same after padding. Since weonly deal with 2 types of messages, our padding can be constant 0s. Inaddition, the optimized version of the SHA-1 algorithm is used, whereonly 16 32-bit words are used for temporary storage. These 16 registersare loaded directly by the optimized HMAC-SHA1 hardware. The Nine 32-bitconstants h₁₋₅ and y₁₋₄ are still required, although the fact that theyare constants is an advantage for hardware implementation. Hardwareoptimized HMAC-SHA-1 requires a total of 1024 bits of data storage:

-   -   Five 32-bit chaining variables are defined: H₁, H₂, H₃, H₄ and        H₅.    -   Five 32-bit working variables are defined: A, B, C, D, and E.    -   Five 32-bit variables for temporary storage and final result:        Buff160₁₋₅    -   One 32 bit temporary variable is defined: t.    -   Sixteen 32-bit temporary registers are defined: X₀₋₁₅.        The following two sections describe the steps for the two types        of calls to HMAC-SHA1.

H[R, K₁]

In the case of producing the keyed hash of R using K₁, the originalinput message R is a constant length of 160 bits. We can therefore takeadvantage of this fact during processing. Rather than load X₀₋₁₅ duringthe first part of the SHA-1 algorithm, we load X₀₋₁₅ directly, andthereby omit Round 0 of the optimized Process Block (Step 2) of SHA-1.The pseudocode takes on the following steps:

Step Description Action 1 Process K ⊕ ipad X₀₋₄ ← K₁ ⊕ 0x363636 . . . 2X₅₋₁₅ ← 0x363636 . . . 3 H₁₋₅ ← h₁₋₅ 4 Process Block 5 Process R X₀₋₄ ←R 6 X₅₋₁₅ ← 0 7 Process Block 8 Buff160₁₋₅ ← H₁₋₅ 9 Process K ⊕ opadX₀₋₄ ← K₁ ⊕ 0x5C5C5C . . . 10 X₅₋₁₅ ← 0x5C5C5C . . . 11 H₁₋₅ ← h₁₋₅ 12Process Block 13 Process previous H[x] X₀₋₄ ← Result 14 X₅₋₁₅ ← 0 15Process Block 16 Get results Buff160₁₋₅ ← H₁₋₅

H[R|M, K₂]

In the case of producing the keyed hash of R|M using K₂, the originalinput message is a constant length of 416 (256+160) bits. We cantherefore take advantage of this fact during processing. Rather thanload X₀₋₁₅ during the first part of the SHA-1 algorithm, we load X₀₋₁₅directly, and thereby omit Round 0 of the optimized Process Block (Step2) of SHA-1. The pseudocode takes on the following steps:

Step Description Action 1 Process K ⊕ ipad X₀₋₄ ← K₂ ⊕ 0x363636 . . . 2X₅₋₁₅ ← 0x363636 . . . 3 H₁₋₅ ← h₁₋₅ 4 Process Block 5 Process R|M X₀₋₄← R 6 X₅₋₁₂ ← M 7 X₁₃₋₁₅ ←0 8 Process Block 9 Temp ← H₁₋₅ 10 Process K ⊕opad X₀₋₄← K₂ ⊕ 0x5C5C5C . . . 11 X₅₋₁₅ ← 0x5C5C5C . . . 12 H₁₋₅ ← h₁₋₅13 Process Block 14 Process previous H[x] X₀₋₄ ←Temp 15 X₅₋₁₅ ← 0 16Process Block 17 Get results Result ← H₁₋₅

Data Storage Integrity

Each Authentication Chip contains some non-volatile memory in order tohold the variables required by Authentication Protocol 3. The followingnon-volatile variables are defined:

Variable Name Size (in bits) Description M[0 . . . 15] 256 16 words(each 16 bits) containing state data such as serial numbers, mediaremaining etc. K₁ 160 Key used to transform R during authentication. K₂160 Key used to transform M during authentication. R 160 Current randomnumber AccessMode[0 . . . 15] 32 The 16 sets of 2-bit AccessMode valuesfor M[n]. MinTicks 32 The minimum number of clock ticks between calls tokey-based functions SIWritten 1 If set, the secret key information (K₁,K₂, and R) has been written to the chip. If clear, the secretinformation has not been written yet. IsTrusted 1 If set, the RND andTST functions can be called, but RD and WR functions cannot be called.If clear, the RND and TST functions cannot be called, but RD and WRfunctions can be called. Total bits 802Note that if these variables are in Flash memory, it is not a simplematter to write a new value to replace the old. The memory must beerased first, and then the appropriate bits set. This has an effect onthe algorithms used to change Flash memory based variables. For example,Flash memory cannot easily be used as shift registers. To update a Flashmemory variable by a general operation, it is necessary to follow thesesteps:

-   -   Read the entire N bit value into a general purpose register;    -   Perform the operation on the general purpose register;    -   Erase the Flash memory corresponding to the variable; and    -   Set the bits of the Flash memory location based on the bits set        in the general-purpose register.        A RESET of the Authentication Chip has no effect on these        non-volatile variables.

M and AccessMode

Variables M[0] through M[15] are used to hold consumable state data,such as serial numbers, batch numbers, and amount of consumableremaining. Each M[n] register is 16 bits, making the entire M vector 256bits (32 bytes). Clients cannot read from or written to individual M[n]variables. Instead, the entire vector, referred to as M, is read orwritten in a single logical access. M can be read using the RD (read)command, and written to via the WR (write) command. The commands onlysucceed if K₁ and K₂ are both defined (SIWritten=1) and theAuthentication Chip is a consumable non-trusted chip (IsTrusted=0).Although M may contain a number of different data types, they differonly in their write permissions. Each data type can always be read. Oncein client memory, the 256 bits can be interpreted in any way chosen bythe client. The entire 256 bits of M are read at one time instead of insmaller amounts for reasons of security, as described in the chapterentitled Authentication. The different write permissions are outlined inthe following table:

Data Type Access Note Read Only Can never be written to ReadWrite Canalways be written to Decrement Only Can only be written to if the newvalue is less than the old value. Decrement Only values are typically16-bit or 32-bit values, but can be any multiple of 16 bits.To accomplish the protection required for writing, a 2-bit access modevalue is defined for each M[n]. The following table defines theinterpretation of the 2-bit access mode bit-pattern:

Bits Op Interpretation Action taken during Write command 00 RW ReadWriteThe new 16-bit value is always written to M[n]. 01 MSR Decrement OnlyThe new 16-bit value is only written to M[n] (Most Significant if it isless than the value currently in M[n]. Region) This is used for accessto the Most Significant 16 bits of a Decrement Only number. 10 NMSRDecrement Only The new 16-bit value is only written to M[n] (Not theMost if M[n + 1] can also be written. The NMSR Significant access modeallows multiple precision Region) values of 32 bits and more (multiplesof 16 bits) to decrement. 11 RO Read Only The new 16-bit value isignored. M[n] is left unchanged.The 16 sets of access mode bits for the 16 M[n] registers are gatheredtogether in a single 32-bit AccessMode register. The 32 bits of theAccessMode register correspond to M[n] with n as follows:

MSB LSB 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1  0Each 2-bit value is stored in hi/lo format. Consequently, if M[0-5] wereaccess mode MSR, with M[6-15] access mode RO, the 32-bit AccessModeregister would be:

-   -   11-11-11-11-11-11-11-11-11-11-01-01-01-01-01-01        During execution of a WR (write) command, AccessMode[n] is        examined for each M[n], and a decision made as to whether the        new M[n] value will replace the old. The AccessMode register is        set using the Authentication Chip's SAM (Set Access Mode)        command. Note that the Decrement Only comparison is unsigned, so        any Decrement Only values that require negative ranges must be        shifted into a positive range. For example, a consumable with a        Decrement Only data item range of −50 to 50 must have the range        shifted to be 0 to 100. The System must then interpret the range        0 to 100 as being −50 to 50. Note that most instances of        Decrement Only ranges are N to 0, so there is no range shift        required. For Decrement Only data items, arrange the data in        order from most significant to least significant 16-bit        quantities from M[n] onward. The access mode for the most        significant 16 bits (stored in M[n]) should be set to MSR. The        remaining registers (M[n+1], M[n+2] etc) should have their        access modes set to NMSR. If erroneously set to NMSR, with no        associated MSR region, each NMSR region will be considered        independently instead of being a multi-precision comparison.

K₁

K₁ is the 160-bit secret key used to transform R during theauthentication protocol. K₁ is programmed along with K₂ and R with theSSI (Set Secret Information) command. Since K₁ must be kept secret,clients cannot directly read K₁. The commands that make use of K₁ areRND and RD. RND returns a pair R, F_(K1)[R] where R is a random number,while RD requires an X, F_(K1)[X] pair as input. K₁ is used in the keyedone-way hash function HMAC-SHA1. As such it should be programmed with aphysically generated random number, gathered from a physically randomphenomenon. K₁ must NOT be generated with a computer-run random numbergenerator. The security of the Authentication chips depends on K₁, K₂and R being generated in a way that is not deterministic. For example,to set K₁, a person can toss a fair coin 160 times, recording heads as1, and tails as 0. K₁ is automatically cleared to 0 upon execution of aCLR command. It can only be programmed to a non-zero value by the SSIcommand.

K₂

K₂ is the 160-bit secret key used to transform M|R during theauthentication protocol. K₂ is programmed along with K₁ and R with theSSI (Set Secret Information) command. Since K₂ must be kept secret,clients cannot directly read K₂. The commands that make use of K₂ are RDand TST. RD returns a pair M, F_(K2)[M|X] where X was passed in as oneof the parameters to the RD function. TST requires an M, F_(K2)[M|R]pair as input, where R was obtained from the Authentication Chip's RNDfunction. K₂ is used in the keyed one-way hash function HMAC-SHA1. Assuch it should be programmed with a physically generated random number,gathered from a physically random phenomenon. K₂ must NOT be generatedwith a computer-run random number generator. The security of theAuthentication chips depends on K₁, K₂ and R being generated in a waythat is not deterministic. For example, to set K₂, a person can toss afair coin 160 times, recording heads as 1, and tails as 0. K₂ isautomatically cleared to 0 upon execution of a CLR command. It can onlybe programmed to a non-zero value by the SSI command.

R and IsTrusted

R is a 160-bit random number seed that is programmed along with K₁ andK₂ with the SSI (Set Secret Information) command. R does not have to bekept secret, since it is given freely to callers via the RND command.However R must be changed only by the Authentication Chip, and not setto any chosen value by a caller. R is used during the TST command toensure that the R from the previous call to RND was used to generate theF_(K2)[M|R] value in the non-trusted Authentication Chip (ChipA). BothRND and TST are only used in trusted Authentication Chips (ChipT).

IsTrusted is a 1-bit flag register that determines whether or not theAuthentication Chip is a trusted chip (ChipT):

-   -   If the IsTrusted bit is set, the chip is considered to be a        trusted chip, and hence clients can call RND and TST functions        (but not RD or WR).    -   If the IsTrusted bit is clear, the chip is not considered to be        trusted. Therefore RND and TST functions cannot be called (but        RD and WR functions can be called instead). System never needs        to call RND or TST on the consumable (since a clone chip would        simply return 1 to a function such as TST, and a constant value        for RND).        The IsTrusted bit has the added advantage of reducing the number        of available R, F_(K1)[R] pairs obtainable by an attacker, yet        still maintain the integrity of the Authentication protocol. To        obtain valid R, F_(K1)[R] pairs, an attacker requires a System        Authentication Chip, which is more expensive and less readily        available than the consumables. Both R and the IsTrusted bit are        cleared to 0 by the CLR command. They are both written to by the        issuing of the SSI command. The IsTrusted bit can only set by        storing a non-zero seed value in R via the SSI command (R must        be non-zero to be a valid LFSR state, so this is quite        reasonable). R is changed via a 160-bit maximal period LFSR with        taps on bits 1, 2, 4, and 159, and is changed only by a        successful call to TST (where 1 is returned).

Authentication Chips destined to be trusted Chips used in Systems(ChipT) should have their IsTrusted bit set during programming, andAuthentication Chips used in Consumables (ChipA) should have theirIsTrusted bit kept clear (by storing 0 in R via the SSI command duringprogramming). There is no command to read or write the IsTrusted bitdirectly. The security of the Authentication Chip does not only relyupon the randomness of K₁ and K₂ and the strength of the HMAC-SHA1algorithm. To prevent an attacker from building a sparse lookup table,the security of the Authentication Chip also depends on the range of Rover the lifetime of all Systems. What this means is that an attackermust not be able to deduce what values of R there are in produced andfuture Systems. As such R should be programmed with a physicallygenerated random number, gathered from a physically random phenomenon. Rmust NOT be generated with a computer-run random number generator. Thegeneration of R must not be deterministic. For example, to generate an Rfor use in a trusted System chip, a person can toss a fair coin 160times, recording heads as 1, and tails as 0.0 is the only non-validinitial value for a trusted R is 0 (or the IsTrusted bit will not beset).

SIWritten

The SIWritten (Secret Information Written) 1-bit register holds thestatus of the secret information stored within the Authentication Chip.The secret information is K₁, K₂ and R. A client cannot directly accessthe SIWritten bit. Instead, it is cleared via the CLR command (whichalso clears K₁, K₂ and R). When the Authentication Chip is programmedwith secret keys and random number seed using the SSI command(regardless of the value written), the SIWritten bit is setautomatically. Although R is strictly not secret, it must be writtentogether with K₁ and K₂ to ensure that an attacker cannot generate theirown random number seed in order to obtain chosen R, F_(K1)[R] pairs. TheSIWritten status bit is used by all functions that access K₁, K₂, or R.If the SIWritten bit is clear, then calls to RD, WR, RND, and TST areinterpreted as calls to CLR.

MinTicks

There are two mechanisms for preventing an attacker from generatingmultiple calls to TST and RD functions in a short period of time. Thefirst is a clock limiting hardware component that prevents the internalclock from operating at a speed more than a particular maximum (e.g. 10MHz). The second mechanism is the 32-bit MinTicks register, which isused to specify the minimum number of clock ticks that must elapsebetween calls to key-based functions. The MinTicks variable is clearedto 0 via the CLR command. Bits can then be set via the SMT (SetMinTicks) command. The input parameter to SMT contains the bit patternthat represents which bits of MinTicks are to be set. The practicaleffect is that an attacker can only increase the value in MinTicks(since the SMT function only sets bits). In addition, there is nofunction provided to allow a caller to read the current value of thisregister. The value of MinTicks depends on the operating clock speed andthe notion of what constitutes a reasonable time between key-basedfunction calls (application specific). The duration of a single tickdepends on the operating clock speed. This is the maximum of the inputclock speed and the Authentication Chip's clock-limiting hardware. Forexample, the Authentication Chip's clock-limiting hardware may be set at10 MHz (it is not changeable), but the input clock is 1 MHz. In thiscase, the value of 1 tick is based on 1 MHz, not 10 MHz. If the inputclock was 20 MHz instead of 1 MHz, the value of 1 tick is based on 10MHz (since the clock speed is limited to 10 MHz).

Once the duration of a tick is known, the MinTicks value can to be set.The value for MinTicks is the minimum number of ticks required to passbetween calls to the key-based RD and TST functions. The value is areal-time number, and divided by the length of an operating tick.Suppose the input clock speed matches the maximum clock speed of 10 MHz.If we want a minimum of 1 second between calls to key based functions,the value for MinTicks is set to 10,000,000. Consider an attackerattempting to collect X, F_(K1)[X] pairs by calling RND, RD and TSTmultiple times. If the MinTicks value is set such that the amount oftime between calls to TST is 1 second, then each pair requires 1 secondto generate. To generate 2²⁵ pairs (only requiring 1.25 GB of storage),an attacker requires more than 1 year. An attack requiring 2⁶⁴ pairswould require 5.84×10¹¹ years using a single chip, or 584 years if 1billion chips were used, making such an attack completely impractical interms of time (not to mention the storage requirements!).

With regards to K₁, it should be noted that the MinTicks variable onlyslows down an attacker and causes the attack to cost more since it doesnot stop an attacker using multiple System chips in parallel. HoweverMinTicks does make an attack on K₂ more difficult, since each consumablehas a different M (part of M is random read-only data). In order tolaunch a differential attack, minimally different inputs are required,and this can only be achieved with a single consumable (containing aneffectively constant part of M). Minimally different inputs require theattacker to use a single chip, and MinTicks causes the use of a singlechip to be slowed down. If it takes a year just to get the data to startsearching for values to begin a differential attack this increases thecost of attack and reduces the effective market time of a cloneconsumable.

Authentication Chip Commands

The System communicates with the Authentication Chips via a simpleoperation command set. This section details the actual commands andparameters necessary for implementation of Protocol 3. TheAuthentication Chip is defined here as communicating to System via aserial interface as a minimum implementation. It is a trivial matter todefine an equivalent chip that operates over a wider interface (such as8, 16 or 32 bits). Each command is defined by 3-bit opcode. Theinterpretation of the opcode can depend on the current value of theIsTrusted bit and the current value of the IsWritten bit. The followingoperations are defined:

Op T W Mn Input Output Description 000 — — CLR — — Clear 001 0 0 SSI[160, 160, 160] — Set Secret Information 010 0 1 RD [160, 160] [256,160] Read M securely 010 1 1 RND — [160, 160] Random 011 0 1 WR [256] —Write M 011 1 1 TST [256, 160] [1] Test 100 0 1 SAM  [32] [32]  SetAccess Mode 101 — 1 GIT — [1] Get Is Trusted 110 — 1 SMT  [32] — SetMinTicks Op = Opcode, T = IsTrusted value, W = IsWritten value, Mn =Mnemonic, [n] = number of bits required for parameterAny command not defined in this table is interpreted as NOP (NoOperation). Examples include opcodes 110 and 111 (regardless ofIsTrusted or IsWritten values), and any opcode other than SSI whenIsWritten=0. Note that the opcodes for RD and RND are the same, as arethe opcodes for WR and TST. The actual command run upon receipt of theopcode will depend on the current value of the IsTrusted bit (as long asIsWritten is 1). Where the IsTrusted bit is clear, RD and WR functionswill be called. Where the IsTrusted bit is set, RND and TST functionswill be called. The two sets of commands are mutually exclusive betweentrusted and non-trusted Authentication Chips, and the same opcodesenforces this relationship. Each of the commands is examined in detailin the subsequent sections. Note that some algorithms are specificallydesigned because Flash memory is assumed for the implementation ofnon-volatile variables.

CLR Clear Input None Output None Changes AllThe CLR (Clear) Command is designed to completely erase the contents ofall Authentication Chip memory. This includes all keys and secretinformation, access mode bits, and state data. After the execution ofthe CLR command, an Authentication Chip will be in a programmable state,just as if it had been freshly manufactured. It can be reprogrammed witha new key and reused. A CLR command consists of simply the CLR commandopcode. Since the Authentication Chip is serial, this must betransferred one bit at a time. The bit order is LSB to MSB for eachcommand component. A CLR command is therefore sent as bits 0-2 of theCLR opcode. A total of 3 bits are transferred. The CLR command can becalled directly at any time. The order of erasure is important.SIWritten must be cleared first, to disable further calls to key accessfunctions (such as RND, TST, RD and WR). If the AccessMode bits arecleared before SIWritten, an attacker could remove power at some pointafter they have been cleared, and manipulate M, thereby have a betterchance of retrieving the secret information with a partial chosen textattack. The CLR command is implemented with the following steps:

Step Action 1 Erase SIWritten Erase IsTrusted Erase K₁ Erase K₂ Erase RErase M 2 Erase AccessMode Erase MinTicksOnce the chip has been cleared it is ready for reprogramming and reuse.A blank chip is of no use to an attacker, since although they can createany value for M (M can be read from and written to), key-based functionswill not provide any information as K₁ and K₂ will be incorrect. It isnot necessary to consume any input parameter bits if CLR is called forany opcode other than CLR. An attacker will simply have to RESET thechip. The reason for calling CLR is to ensure that all secretinformation has been destroyed, making the chip useless to an attacker.

SSI—Set Secret Information

Input: K₁, K₂, R=[160 bits, 160 bits, 160 bits]

Output: None Changes: K₁, K₂, R, SIWritten, IsTrusted

The SSI (Set Secret Information) command is used to load the K₁, K₂ andR variables, and to set SIWritten and IsTrusted flags for later calls toRND, TST, RD and WR commands. An SSI command consists of the SSI commandopcode followed by the secret information to be stored in the K₁, K₂ andR registers. Since the Authentication Chip is serial, this must betransferred one bit at a time. The bit order is LSB to MSB for eachcommand component. An SSI command is therefore sent as: bits 0-2 of theSSI opcode, followed by bits 0-159 of the new value for K₁, bits 0-159of the new value for K₂, and finally bits 0-159 of the seed value for R.A total of 483 bits are transferred. The K₁, K₂, R, SIWritten, andIsTrusted registers are all cleared to 0 with a CLR command. They canonly be set using the SSI command.

The SSI command uses the flag SIWritten to store the fact that data hasbeen loaded into K₁, K₂, and R. If the SIWritten and IsTrusted flags areclear (this is the case after a CLR instruction), then K₁, K₂ and R areloaded with the new values. If either flag is set, an attempted call toSSI results in a CLR command being executed, since only an attacker oran erroneous client would attempt to change keys or the random seedwithout calling CLR first. The SSI command also sets the IsTrusted flagdepending on the value for R. If R=0, then the chip is considereduntrustworthy, and therefore IsTrusted remains at 0. If R≠0, then thechip is considered trustworthy, and therefore IsTrusted is set to 1.Note that the setting of the IsTrusted bit only occurs during the SSIcommand. If an Authentication Chip is to be reused, the CLR command mustbe called first. The keys can then be safely reprogrammed with an SSIcommand, and fresh state information loaded into M using the SAM and WRcommands. The SSI command is implemented with the following steps:

Step Action 1 CLR 2 K₁ ← Read 160 bits from client 3 K₂ ← Read 160 bitsfrom client 4 R ← Read 160 bits from client 5 IF (R ≠ 0)  IsTrusted ← 16 SIWritten ← 1

RD—Read

Input: X, F_(K1)[X]=[160 bits, 160 bits]Output: M, F_(K2)[X|M]=[256 bits, 160 bits]

Changes: R

The RD (Read) command is used to securely read the entire 256 bits ofstate data (M) from a non-trusted Authentication Chip. Only a validAuthentication Chip will respond correctly to the RD request. The outputbits from the RD command can be fed as the input bits to the TST commandon a trusted Authentication Chip for verification, with the first 256bits (M) stored for later use if (as we hope) TST returns 1. Since theAuthentication Chip is serial, the command and input parameters must betransferred one bit at a time. The bit order is LSB to MSB for eachcommand component. A RD command is therefore: bits 0-2 of the RD opcode,followed by bits 0-159 of X, and bits 0-159 of F_(K1)[X]. 323 bits aretransferred in total. X and F_(K1)[X] are obtained by calling thetrusted Authentication Chip's RND command. The 320 bits output by thetrusted chip's RND command can therefore be fed directly into thenon-trusted chip's RD command, with no need for these bits to be storedby System. The RD command can only be used when the following conditionshave been met:

SIWritten = 1 indicating that K₁, K₂ and R have been set up via the SSIcommand; and IsTrusted = 0 indicating the chip is not trusted since itis not permitted to generate random number sequences;In addition, calls to RD must wait for the MinTicksRemaining register toreach 0. Once it has done so, the register is reloaded with MinTicks toensure that a minimum time will elapse between calls to RD. OnceMinTicksRemaining has been reloaded with MinTicks, the RD commandverifies that the input parameters are valid. This is accomplished byinternally generating F_(K1)[X] for the input X, and then comparing theresult against the input F_(K1)[X]. This generation and comparison musttake the same amount of time regardless of whether the input parametersare correct or not. If the times are not the same, an attacker can gaininformation about which bits of F_(K1)[X] are incorrect. The only wayfor the input parameters to be invalid is an erroneous System (passingthe wrong bits), a case of the wrong consumable in the wrong System, abad trusted chip (generating bad pairs), or an attack on theAuthentication Chip. A constant value of 0 is returned when the inputparameters are wrong. The time taken for 0 to be returned must be thesame for all bad inputs so that attackers can learn nothing about whatwas invalid. Once the input parameters have been verified the outputvalues are calculated. The 256 bit content of M are transferred in thefollowing order: bits 0-15 of M[0], bits 0-15 of M[1], through to bits0-15 of M[15]. F_(K2)[X|M] is calculated and output as bits 0-159. The Rregister is used to store the X value during the validation of the X,F_(K1)[X] pair. This is because RND and RD are mutually exclusive. TheRD command is implemented with the following steps:

Step Action 1 IF (MinTicksRemaining ≠ 0  GOTO 1 2 MinTicksRemaining ←MinTicks 3 R ← Read 160 bits from client 4 Hash ← Calculate F_(K1)[R] 5OK ← (Hash = next 160 bits from client) Note that this operation musttake constant time so an attacker cannot determine how much of theirguess is correct. 6 IF (OK)  Output 256 bits of M to client ELSE  Output256 bits of 0 to client 7 Hash ← Calculate F_(K2)[R | M] 8 IF (OK) Output 160 bits of Hash to client ELSE  Output 160 bits of 0 to client

RND—Random Input: None

Output: R, F_(K1)[R]=[160 bits, 160 bits]

Changes: None

The RND (Random) command is used by a client to obtain a valid R,F_(K1)[R] pair for use in a subsequent authentication via the RD and TSTcommands. Since there are no input parameters, an RND command istherefore simply bits 0-2 of the RND opcode. The RND command can only beused when the following conditions have been met:

-   -   SIWritten=1 indicating K₁ and R have been set up via the SSI        command;    -   IsTrusted=1 indicating the chip is permitted to generate random        number sequences;        RND returns both R and F_(K1)[R] to the caller. The 288-bit        output of the RND command can be fed straight into the        non-trusted chip's RD command as the input parameters. There is        no need for the client to store them at all, since they are not        required again. However the TST command will only succeed if the        random number passed into the RD command was obtained first from        the RND command. If a caller only calls RND multiple times, the        same R, F_(K1)[R] pair will be returned each time. R will only        advance to the next random number in the sequence after a        successful call to TST. See TST for more information. The RND        command is implemented with the following steps:

Step Action 1 Output 160 bits of R to client 2 Hash ← CalculateF_(K1)[R] 3 Output 160 bits of Hash to client

TST—Test

Input: X, F_(K2)[R|X]=[256 bits, 160 bits]Output: 1 or 0=[1 bit]Changes: M, R and MinTicksRemaining (or all registers if attackdetected)

The TST (Test) command is used to authenticate a read of M from anon-trusted Authentication Chip. The TST (Test) command consists of theTST command opcode followed by input parameters: X and F_(K2)[R|X].Since the Authentication Chip is serial, this must be transferred onebit at a time. The bit order is LSB to MSB for each command component. ATST command is therefore: bits 0-2 of the TST opcode, followed by bits0-255 of M, bits 0-159 of F_(K2)[R|M]. 419 bits are transferred intotal. Since the last 416 input bits are obtained as the output bitsfrom a RD command to a non-trusted Authentication Chip, the entire datadoes not even have to be stored by the client. Instead, the bits can bepassed directly to the trusted Authentication Chip's TST command. Onlythe 256 bits of M should be kept from a RD command. The TST command canonly be used when the following conditions have been met:

-   -   SIWritten=1 indicating K₂ and R have been set up via the SSI        command;    -   IsTrusted=1 indicating the chip is permitted to generate random        number sequences;        In addition, calls to TST must wait for the MinTicksRemaining        register to reach 0. Once it has done so, the register is        reloaded with MinTicks to ensure that a minimum time will elapse        between calls to TST. TST causes the internal M value to be        replaced by the input M value. F_(K1)[M|R] is then calculated,        and compared against the 160 bit input hash value. A single        output bit is produced: 1 if they are the same, and 0 if they        are different. The use of the internal M value is to save space        on chip, and is the reason why RD and TST are mutually exclusive        commands. If the output bit is 1, R is updated to be the next        random number in the sequence. This forces the caller to use a        new random number each time RD and TST are called. The resultant        output bit is not output until the entire input string has been        compared, so that the time to evaluate the comparison in the TST        function is always the same. Thus no attacker can compare        execution times or number of bits processed before an output is        given.

The next random number is generated from R using a 160-bit maximalperiod LFSR (tap selections on bits 159, 4, 2, and 1). The initial160-bit value for R is set up via the SSI command, and can be any randomnumber except 0 (an LFSR filled with 0s will produce a never-endingstream of 0s). R is transformed by XORing bits 1, 2, 4, and 159together, and shifting all 160 bits right 1 bit using the XOR result asthe input bit to b₁₅₉. The new R will be returned on the next call toRND. Note that the time taken for 0 to be returned from TST must be thesame for all bad inputs so that attackers can learn nothing about whatwas invalid about the input.

The TST command is implemented with the following steps:

Step Action 1 IF (MinTicksRemaining ≠ 0  GOTO 1 2 MinTicksRemaining ←MinTicks 3 M ← Read 256 bits from client 4 IF (R = 0)  GOTO CLR 5 Hash ←Calculate F_(K2)[R | M] 6 OK ← (Hash = next 160 bits from client) Notethat this operation must take constant time so an attacker cannotdetermine how much of their guess is correct. 7 IF (OK)  Temp ← R  EraseR  Advance TEMP via LFSR  R ← TEMP 8 Output 1 bit of OK to clientNote that we can't simply advance R directly in Step 7 since R is Flashmemory, and must be erased in order for any set bit to become 0. Ifpower is removed from the Authentication Chip during Step 7 aftererasing the old value of R, but before the new value for R has beenwritten, then R will be erased but not reprogrammed. We therefore havethe situation of IsTrusted=1, yet R=0, a situation only possible due toan attacker. Step 4 detects this event, and takes action if the attackis detected. This problem can be avoided by having a second 160-bitFlash register for R and a Validity Bit, toggled after the new value hasbeen loaded. It has not been included in this implementation for reasonsof space, but if chip space allows it, an extra 160-bit Flash registerwould be useful for this purpose.

WR—Write

Input: M_(new)=[256 bits]

Output: None Changes: M

A WR (Write) command is used to update the writeable parts of Mcontaining Authentication Chip state data. The WR command by itself isnot secure. It must be followed by an authenticated read of M (via a RDcommand) to ensure that the change was made as specified. The WR commandis called by passing the WR command opcode followed by the new 256 bitsof data to be written to M. Since the Authentication Chip is serial, thenew value for M must be transferred one bit at a time. The bit order isLSB to MSB for each command component. A WR command is therefore: bits0-2 of the WR opcode, followed by bits 0-15 of M[0], bits 0-15 of M[1],through to bits 0-15 of M[15]. 259 bits are transferred in total. The WRcommand can only be used when SIWritten=1, indicating that K₁, K₂ and Rhave been set up via the SSI command (if SIWritten is 0, then K₁, K₂ andR have not been setup yet, and the CLR command is called instead). Theability to write to a specific M[n] is governed by the correspondingAccess Mode bits as stored in the AccessMode register. The AccessModebits can be set using the SAM command. When writing the new value toM[n] the fact that M[n] is Flash memory must be taken into account. Allthe bits of M[n] must be erased, and then the appropriate bits set.Since these two steps occur on different cycles, it leaves thepossibility of attack open. An attacker can remove power after erasure,but before programming with the new value. However, there is noadvantage to an attacker in doing this:

-   -   A Read/Write M[n] changed to 0 by this means is of no advantage        since the attacker could have written any value using the WR        command anyway.    -   A Read Only M[n] changed to 0 by this means allows an additional        known text pair (where the M[n] is 0 instead of the original        value). For future use M[n] values, they are already 0, so no        information is given.    -   A Decrement Only M[n] changed to 0 simply speeds up the time in        which the consumable is used up. It does not give any new        information to an attacker that using the consumable would give.        The WR command is implemented with the following steps:

Step Action 1 DecEncountered ← 0 EqEncountered ← 0 n ← 15 2 Temp ← Read16 bits from client 3 AM = AccessMode[~n] Compare to the previous value4 LT ← (Temp < M[~n]) [comparison is unsigned] EQ ← (Temp = M[~n]) 5 WE← (AM = RW)

((AM = MSR)

LT)

((AM = NMSR)

(DecEncountered

LT)) 6 DecEncountered ← ((AM = MSR)

LT)

((AM = NMSR)

DecEncountered)

((AM = NMSR)

EqEncountered

LT) EqEncountered ← ((AM = MSR)

EQ)

((AM = NMSR)

EqEncountered

EQ) Advance to the next Access Mode set and write the new M[~n] ifapplicable 8 IF (WE)  Erase M[~n]  M[~n] ← Temp 10

n 11 IF (n ≠ 0)  GOTO 2

SAM—Set AccessMode

Input: AccessMode_(new)=[32 bits]Output: AccessMode=[32 bits]

Changes: AccessMode

The SAM (Set Access Mode) command is used to set the 32 bits of theAccessMode register, and is only available for use in consumableAuthentication Chips (where the IsTrusted flag=0). The SAM command iscalled by passing the SAM command opcode followed by a 32-bit value thatis used to set bits in the AccessMode register. Since the AuthenticationChip is serial, the data must be transferred one bit at a time. The bitorder is LSB to MSB for each command component. A SAM command istherefore: bits 0-2 of the SAM opcode, followed by bits 0-31 of bits tobe set in AccessMode. 35 bits are transferred in total. The AccessModeregister is only cleared to 0 upon execution of a CLR command. Since anaccess mode of 00 indicates an access mode of RW (read/write), notsetting any AccessMode bits after a CLR means that all of M can be readfrom and written to. The SAM command only sets bits in the AccessModeregister. Consequently a client can change the access mode bits for M[n]from RW to RO (read only) by setting the appropriate bits in a 32-bitword, and calling SAM with that 32-bit value as the input parameter.This allows the programming of the access mode bits at different times,perhaps at different stages of the manufacturing process. For example,the read only random data can be written to during the initial keyprogramming stage, while allowing a second programming stage for itemssuch as consumable serial numbers.

Since the SAM command only sets bits, the effect is to allow the accessmode bits corresponding to M[n] to progress from RW to either MSR, NMSR,or RO. It should be noted that an access mode of MSR can be changed toRO, but this would not help an attacker, since the authentication of Mafter a write to a doctored Authentication Chip would detect that thewrite was not successful and hence abort the operation. The setting ofbits corresponds to the way that Flash memory works best. The only wayto clear bits in the AccessMode register, for example to change aDecrement Only M[n] to be Read/Write, is to use the CLR command. The CLRcommand not only erases (clears) the AccessMode register, but alsoclears the keys and all of M. Thus the AccessMode[n] bits correspondingto M[n] can only usefully be changed once between CLR commands. The SAMcommand returns the new value of the AccessMode register (after theappropriate bits have been set due to the input parameter). By callingSAM with an input parameter of 0, AccessMode will not be changed, andtherefore the current value of AccessMode will be returned to thecaller.

The SAM command is implemented with the following steps:

Step Action 1 Temp ← Read 32 bits from client 2 SetBits(AccessMode,Temp) 3 Output 32 bits of AccessMode to client

GIT—Get Is Trusted Input: None

Output: IsTrusted=[1 bit]

Changes: None

The GIT (Get Is Trusted) command is used to read the current value ofthe IsTrusted bit on the Authentication Chip. If the bit returned is 1,the Authentication Chip is a trusted System Authentication Chip. If thebit returned is 0, the Authentication Chip is a consumableAuthentication Chip. A GIT command consists of simply the GIT commandopcode. Since the Authentication Chip is serial, this must betransferred one bit at a time. The bit order is LSB to MSB for eachcommand component. A GIT command is therefore sent as bits 0-2 of theGIT opcode. A total of 3 bits are transferred. The GIT command isimplemented with the following steps:

Step Action 1 Output IsTrusted bit to client

SMT—Set MinTicks

Input: MinTicks_(new)=[32 bits]

Output: None Changes: MinTicks

The SMT (Set MinTicks) command is used to set bits in the MinTicksregister and hence define the minimum number of ticks that must pass inbetween calls to TST and RD. The SMT command is called by passing theSMT command opcode followed by a 32-bit value that is used to set bitsin the MinTicks register. Since the Authentication Chip is serial, thedata must be transferred one bit at a time. The bit order is LSB to MSBfor each command component. An SMT command is therefore: bits 0-2 of theSMT opcode, followed by bits 0-31 of bits to be set in MinTicks. 35 bitsare transferred in total. The MinTicks register is only cleared to 0upon execution of a CLR command. A value of 0 indicates that no ticksneed to pass between calls to key-based functions. The functions maytherefore be called as frequently as the clock speed limiting hardwareallows the chip to run.

Since the SMT command only sets bits, the effect is to allow a client toset a value, and only increase the time delay if further calls are made.Setting a bit that is already set has no effect, and setting a bit thatis clear only serves to slow the chip down further. The setting of bitscorresponds to the way that Flash memory works best. The only way toclear bits in the MinTicks register, for example to change a value of 10ticks to a value of 4 ticks, is to use the CLR command. However the CLRcommand clears the MinTicks register to 0 as well as clearing all keysand M. It is therefore useless for an attacker. Thus the MinTicksregister can only usefully be changed once between CLR commands.

The SMT command is implemented with the following steps:

Step Action 1 Temp ← Read 32 bits from client 2 SetBits(MinTicks, Temp)

Programming Authentication Chips

Authentication Chips must be programmed with logically secureinformation in a physically secure environment. Consequently theprogramming procedures cover both logical and physical security. Logicalsecurity is the process of ensuring that K₁, K₂, R, and the random M[n]values are generated by a physically random process, and not by acomputer. It is also the process of ensuring that the order in whichparts of the chip are programmed is the most logically secure. Physicalsecurity is the process of ensuring that the programming station isphysically secure, so that K₁ and K₂ remain secret, both during the keygeneration stage and during the lifetime of the storage of the keys. Inaddition, the programming station must be resistant to physical attemptsto obtain or destroy the keys. The Authentication Chip has its ownsecurity mechanisms for ensuring that K₁ and K₂ are kept secret, but theProgramming Station must also keep K₁ and K₂ safe.

Overview

After manufacture, an Authentication Chip must be programmed before itcan be used. In all chips values for K₁ and K₂ must be established. Ifthe chip is destined to be a System Authentication Chip, the initialvalue for R must be determined. If the chip is destined to be aconsumable Authentication Chip, R must be set to 0, and initial valuesfor M and AccessMode must be set up. The following stages are thereforeidentified:

1. Determine Interaction between Systems and Consumables

2. Determine Keys for Systems and Consumables 3. Determine MinTicks forSystems and Consumables 4. Program Keys, Random Seed, MinTicks andUnused M 5. Program State Data and Access Modes

Once the consumable or system is no longer required, the attachedAuthentication Chip can be reused. This is easily accomplished byreprogrammed the chip starting at Stage 4 again. Each of the stages isexamined in the subsequent sections.

Stage 0: Manufacture

The manufacture of Authentication Chips does not require any specialsecurity. There is no secret information programmed into the chips atmanufacturing stage. The algorithms and chip process is not special.Standard Flash processes are used. A theft of Authentication Chipsbetween the chip manufacturer and programming station would only providethe clone manufacturer with blank chips. This merely compromises thesale of Authentication chips, not anything authenticated byAuthentication Chips. Since the programming station is the onlymechanism with consumable and system product keys, a clone manufacturerwould not be able to program the chips with the correct key. Clonemanufacturers would be able to program the blank chips for their ownsystems and consumables, but it would be difficult to place these itemson the market without detection. In addition, a single theft would bedifficult to base a business around.

Stage 1: Determine Interaction between Systems and Consumables

The decision of what is a System and what is a Consumable needs to bedetermined before any Authentication Chips can be programmed. A decisionneeds to be made about which Consumables can be used in which Systems,since all connected Systems and Consumables must share the same keyinformation. They also need to share state-data usage mechanisms even ifsome of the interpretations of that data have not yet been determined. Asimple example is that of a car and car-keys. The car itself is theSystem, and the car-keys are the consumables. There are several car-keysfor each car, each containing the same key information as the specificcar. However each car (System) would contain a different key (shared byits car-keys), since we don't want car-keys from one car working inanother. Another example is that of a photocopier that requires aparticular toner cartridge. In simple terms the photocopier is theSystem, and the toner cartridge is the consumable. However the decisionmust be made as to what compatibility there is to be between cartridgesand photocopiers. The decision has historically been made in terms ofthe physical packaging of the toner cartridge: certain cartridges willor won't fit in a new model photocopier based on the design decisionsfor that copier. When Authentication Chips are used, the components thatmust work together must share the same key information.

In addition, each type of consumable requires a different way ofdividing M (the state data). Although the way in which M is used willvary from application to application, the method of allocating M[n] andAccessMode[n] will be the same:

-   -   Define the consumable state data for specific use    -   Set some M[n] registers aside for future use (if required). Set        these to be 0 and Read Only. The value can be tested for in        Systems to maintain compatibility.    -   Set the remaining M[n] registers (at least one, but it does not        have to be M[15]) to be Read Only, with the contents of each        M[n] completely random. This is to make it more difficult for a        clone manufacturer to attack the authentication keys.

The following examples show ways in which the state data may beorganized.

Example 1

Suppose we have a car with associated car-keys. A 16-bit key number ismore than enough to uniquely identify each car-key for a given car. The256 bits of M could be divided up as follows:

M[n] Access Description 0 RO Key number (16 bits) 1-4 RO Car enginenumber (64 bits) 5-8 RO For future expansion = 0 (64 bits)  8-15 RORandom bit data (128 bits)If the car manufacturer keeps all logical keys for all cars, it is atrivial matter to manufacture a new physical car-key for a given carshould one be lost. The new car-key would contain a new Key Number inM[0], but have the same K₁ and K₂ as the car's Authentication Chip. CarSystems could allow specific key numbers to be invalidated (for exampleif a key is lost). Such a system might require Key 0 (the master key) tobe inserted first, then all valid keys, then Key 0 again. Only thosevalid keys would now work with the car. In the worst case, for exampleif all car-keys are lost, then a new set of logical keys could begenerated for the car and its associated physical car-keys if desired.The Car engine number would be used to tie the key to the particularcar. Future use data may include such things as rental information, suchas driver/renter details.

Example 2

Suppose we have a photocopier image unit which should be replaced every100,000 copies. 32 bits are required to store the number of pagesremaining. The 256 bits of M could be divided up as follows:

M[n] Access Description 0 RO Serial number (16 bits) 1 RO Batch number(16 bits) 2 MSR Page Count Remaining (32 bits, hi/lo) 3 NMSR 4-7  RO Forfuture expansion = 0 (64 bits) 8-15 RO Random bit data (128 bits)If a lower quality image unit is made that must be replaced after only10,000 copies, the 32-bit page count can still be used for compatibilitywith existing photocopiers. This allows several consumable types to beused with the same system.

Example 3

Consider a Polaroid camera consumable containing 25 photos. A 16-bitcountdown is all that is required to store the number of photosremaining. The 256 bits of M could be divided up as follows:

M[n] Access Description 0 RO Serial number (16 bits) 1 RO Batch number(16 bits) 2 MSR Photos Remaining (16 bits) 3-6  RO For future expansion= 0 (64 bits) 7-15 RO Random bit data (144 bits)The Photos Remaining value at M[2] allows a number of consumable typesto be built for use with the same camera System. For example, a newconsumable with 36 photos is trivial to program. Suppose 2 years afterthe introduction of the camera, a new type of camera was introduced. Itis able to use the old consumable, but also can process a new film type.M[3] can be used to define Film Type. Old film types would be 0, and thenew film types would be some new value. New Systems can take advantageof this. Original systems would detect a non-zero value at M[3] andrealize incompatibility with new film types. New Systems wouldunderstand the value of M[3] and so react appropriately. To maintaincompatibility with the old consumable, the new consumable and Systemneeds to have the same key information as the old one. To make a cleanbreak with a new System and its own special consumables, a new key setwould be required.

Example 4

Consider a printer consumable containing 3 inks: cyan, magenta, andyellow. Each ink amount can be decremented separately. The 256 bits of Mcould be divided up as follows:

M[n] Access Description 0 RO Serial number (16 bits) 1 RO Batch number(16 bits) 2 MSR Cyan Remaining (32 bits, hi/lo) 3 NMSR 4 MSR MagentaRemaining (32 bits, hi/lo) 5 NMSR 6 MSR Yellow Remaining (32 bits,hi/lo) 7 NMSR  8-11 RO For future expansion = 0 (64 bits) 12-15 RORandom bit data (64 bits)

Stage 2: Determine Keys for Systems and Consumables

Once the decision has been made as to which Systems and consumables areto share the same keys, those keys must be defined. The values for K₁and K₂ must therefore be determined. In most cases, K₁ and K₂ will begenerated once for all time. All Systems and consumables that have towork together (both now and in the future) need to have the same K₁ andK₂ values. K₁ and K₂ must therefore be kept secret since the entiresecurity mechanism for the System/Consumable combination is made void ifthe keys are compromised. If the keys are compromised, the damagedepends on the number of systems and consumables, and the ease to whichthey can be reprogrammed with new non-compromised keys: In the case of aphotocopier with toner cartridges, the worst case is that a clonemanufacturer could then manufacture their own Authentication Chips (orworse, buy them), program the chips with the known keys, and then insertthem into their own consumables. In the case of a car with car-keys,each car has a different set of keys. This leads to two possible generalscenarios. The first is that after the car and car-keys are programmedwith the keys, K₁ and K₂ are deleted so no record of their values arekept, meaning that there is no way to compromise K₁ and K₂. However nomore car-keys can be made for that car without reprogramming the car'sAuthentication Chip. The second scenario is that the car manufacturerkeeps K₁ and K₂, and new keys can be made for the car. A compromise ofK₁ and K₂ means that someone could make a car-key specifically for aparticular car.

The keys and random data used in the Authentication Chips must thereforebe generated by a means that is non-deterministic (a completely computergenerated pseudo-random number cannot be used because it isdeterministic—knowledge of the generator's seed gives all futurenumbers). K₁ and K₂ should be generated by a physically random process,and not by a computer. However, random bit generators based on naturalsources of randomness are subject to influence by external factors andalso to malfunction. It is imperative that such devices be testedperiodically for statistical randomness.

A simple yet useful source of random numbers is the Lavarand® systemfrom SGI. This generator uses a digital camera to photograph six lavalamps every few minutes. Lava lamps contain chaotic turbulent systems.The resultant digital images are fed into an SHA-1 implementation thatproduces a 7-way hash, resulting in a 160-bit value from every 7th byefrom the digitized image. These 7 sets of 160 bits total 140 bytes. The140 byte value is fed into a BBS generator to position the start of theoutput bitstream. The output 160 bits from the BBS would be the key orthe Authentication chip.

An extreme example of a non-deterministic random process is someoneflipping a coin 160 times for K₁ and 160 times for K₂ in a clean room.With each head or tail, a 1 or 0 is entered on a panel of a KeyProgrammer Device. The process must be undertaken with several observers(for verification) in silence (someone may have a hidden microphone).The point to be made is that secure data entry and storage is not assimple as it sounds. The physical security of the Key Programmer Deviceand accompanying Programming Station requires an entire document of itsown. Once keys K₁ and K₂ have been determined, they must be kept for aslong as Authentication Chips need to be made that use the key. In thefirst car/car-key scenario K₁ and K₂ are destroyed after a single Systemchip and a few consumable chips have been programmed. In the case of thephotocopier/toner cartridge, K₁ and K₂ must be retained for as long asthe toner-cartridges are being made for the photocopiers. The keys mustbe kept securely.

Stage 3: Determine MinTicks for Systems and Consumables

The value of MinTicks depends on the operating clock speed of theAuthentication Chip (System specific) and the notion of what constitutesa reasonable time between RD or TST function calls (applicationspecific). The duration of a single tick depends on the operating clockspeed. This is the maximum of the input clock speed and theAuthentication Chip's clock-limiting hardware. For example, theAuthentication Chip's clock-limiting hardware may be set at 10 MHz (itis not changeable), but the input clock is 1 MHz. In this case, thevalue of 1 tick is based on 1 MHz, not 10 MHz. If the input clock was 20MHz instead of 1 MHz, the value of 1 tick is based on 10 MHz (since theclock speed is limited to 10 MHz). Once the duration of a tick is known,the MinTicks value can be set. The value for MinTicks is the minimumnumber of ticks required to pass between calls to RD or RND key-basedfunctions. Suppose the input clock speed matches the maximum clock speedof 10 MHz. If we want a minimum of 1 second between calls to TST, thevalue for MinTicks is set to 10,000,000. Even a value such as 2 secondsmight be a completely reasonable value for a System such as a printer(one authentication per page, and one page produced every 2 or 3seconds).

Stage 4: Program Keys, Random Seed, MinTicks and Unused M

Authentication Chips are in an unknown state after manufacture.Alternatively, they have already been used in one consumable, and mustbe reprogrammed for use in another. Each Authentication Chip must becleared and programmed with new keys and new state data. Clearing andsubsequent programming of Authentication Chips must take place in asecure Programming Station environment.

Programming a Trusted System Authentication Chip

If the chip is to be a trusted System chip, a seed value for R must begenerated. It must be a random number derived from a physically randomprocess, and must not be 0. The following tasks must be undertaken, inthe following order, and in a secure programming environment:

-   -   1. RESET the chip    -   2. CLR[ ]    -   3. Load R (160 bit register) with physically random data    -   4. SSI[K₁, K₂, R]    -   5. SMT [MinTicks_(system)]        The Authentication Chip is now ready for insertion into a        System. It has been completely programmed. If the System        Authentication Chips are stolen at this point, a clone        manufacturer could use them to generate R, F_(K1)[R] pairs in        order to launch a known text attack on K₁, or to use for        launching a partially chosen-text attack on K₂. This is no        different to the purchase of a number of Systems, each        containing a trusted Authentication Chip. The security relies on        the strength of the Authentication protocols and the randomness        of K₁ and K₂.

Programming a Non-Trusted Consumable Authentication Chip

If the chip is to be a non-trusted Consumable Authentication Chip, theprogramming is slightly different to that of the trusted SystemAuthentication Chip. Firstly, the seed value for R must be 0. It musthave additional programming for M and the AccessMode values. The futureuse M[n] must be programmed with 0, and the random M[n] must beprogrammed with random data. The following tasks must be undertaken, inthe following order, and in a secure programming environment:

-   -   1. RESET the chip    -   2. CLR[ ]    -   3. Load R (160 bit register) with 0    -   4. SSI [K₁, K₂, R]    -   5. Load X (256 bit register) with 0    -   6. Set bits in X corresponding to appropriate M[n] with        physically random data    -   7. WR[X]    -   8. Load Y (32 bit register) with 0    -   9. Set bits in Y corresponding to appropriate M[n] with Read        Only Access Modes    -   10. SAM[Y]    -   11. [MinTicks_(consumable)]

The non-trusted consumable chip is now ready to be programmed with thegeneral state data. If the Authentication Chips are stolen at thispoint, an attacker could perform a limited chosen text attack. In thebest situation, parts of M are Read Only (0 and random data), with theremainder of M completely chosen by an attacker (via the WR command). Anumber of RD calls by an attacker obtains F_(K2)[M|R] for a limited M.In the worst situation, M can be completely chosen by an attacker (sinceall 256 bits are used for state data). In both cases however, theattacker cannot choose any value for R since it is supplied by calls toRND from a System Authentication Chip. The only way to obtain a chosen Ris by a Brute Force attack. It should be noted that if Stages 4 and 5are carried out on the same Programming Station (the preferred and idealsituation), Authentication Chips cannot be removed in between thestages. Hence there is no possibility of the Authentication Chips beingstolen at this point. The decision to program the Authentication Chipsat one or two times depends on the requirements of the System/Consumablemanufacturer.

Stage 5: Program State Data and Access Modes

This stage is only required for consumable Authentication Chips, since Mand AccessMode registers cannot be altered on System AuthenticationChips. The future use and random values of M[n] have already beenprogrammed in Stage 4. The remaining state data values need to beprogrammed and the associated Access Mode values need to be set. Bear inmind that the speed of this stage will be limited by the value stored inthe MinTicks register. This stage is separated from Stage 4 on accountof the differences either in physical location or in time betweenwhere/when Stage 4 is performed, and where/when Stage 5 is performed.Ideally, Stages 4 and 5 are performed at the same time in the sameProgramming Station. Stage 4 produces valid Authentication Chips, butdoes not load them with initial state values (other than 0). This is toallow the programming of the chips to coincide with production line runsof consumables. Although Stage 5 can be run multiple times, each timesetting a different state data value and Access Mode value, it is morelikely to be run a single time, setting all the remaining state datavalues and setting all the remaining Access Mode values. For example, aproduction line can be set up where the batch number and serial numberof the Authentication Chip is produced according to the physicalconsumable being produced. This is much harder to match if the statedata is loaded at a physically different factory.

The Stage 5 process involves first checking to ensure the chip is avalid consumable chip, which includes a RD to gather the data from theAuthentication Chip, followed by a WR of the initial data values, andthen a SAM to permanently set the new data values. The steps areoutlined here:

-   -   1. IsTrusted=GIT[ ]    -   2. If (IsTrusted), exit with error (wrong kind of chip!)    -   3. Call RND on a valid System chip to get a valid input pair    -   4. Call RD on chip to be programmed, passing in valid input pair    -   5. Load X (256 bit register) with results from a RD of        Authentication Chip    -   6. Call TST on valid System chip to ensure X and consumable chip        are valid    -   7. If (TST returns 0), exit with error (wrong consumable chip        for system)    -   8. Set bits of X to initial state values    -   9. WR[X]    -   10. Load Y (32 bit register) with 0    -   11. Set bits of Y corresponding to Access Modes for new state        values    -   12. SAM[Y]

Of course the validation (Steps 1 to 7) does not have to occur if Stage4 and 5 follow on from one another on the same Programming Station. Butit should occur in all other situations where Stage 5 is run as aseparate programming process from Stage 4. If these Authentication Chipsare now stolen, they are already programmed for use in a particularconsumable. An attacker could place the stolen chips into a cloneconsumable. Such a theft would limit the number of cloned products tothe number of chips stolen. A single theft should not create a supplyconstant enough to provide clone manufacturers with a cost-effectivebusiness. The alternative use for the chips is to save the attacker frompurchasing the same number of consumables, each with an AuthenticationChip, in order to launch a partially chosen text attack or brute forceattack. There is no special security breach of the keys if such anattack were to occur.

Manufacture

The circuitry of the Authentication Chip must be resistant to physicalattack. A summary of manufacturing implementation guidelines ispresented, followed by specification of the chip's physical defenses(ordered by attack).

Guidelines for Manufacturing

The following are general guidelines for implementation of anAuthentication Chip in terms of manufacture:

-   -   Standard process    -   Minimum size (if possible)    -   Clock Filter    -   Noise Generator    -   Tamper Prevention and Detection circuitry    -   Protected memory with tamper detection    -   Boot circuitry for loading program code    -   Special implementation of FETs for key data paths    -   Data connections in polysilicon layers where possible    -   OverUnderPower Detection Unit    -   No test circuitry

Standard Process

The Authentication Chip should be implemented with a standardmanufacturing process (such as Flash). This is necessary to:

-   -   Allow a great range of manufacturing location options    -   Take advantage of well-defined and well-known technology    -   Reduce cost        Note that the standard process still allows physical protection        mechanisms.

Minimum Size

The Authentication chip must have a low manufacturing cost in order tobe included as the authentication mechanism for low cost consumables. Itis therefore desirable to keep the chip size as low as reasonablypossible. Each Authentication Chip requires 802 bits of non-volatilememory. In addition, the storage required for optimized HMAC-SHA1 is1024 bits. The remainder of the chip (state machine, processor, CPU orwhatever is chosen to implement Protocol 3) must be kept to a minimum inorder that the number of transistors is minimized and thus the cost perchip is minimized. The circuit areas that process the secret keyinformation or could reveal information about the key should also beminimized (see Non-Flashing CMOS below for special data paths).

Clock Filter

The Authentication Chip circuitry is designed to operate within aspecific clock speed range. Since the user directly supplies the clocksignal, it is possible for an attacker to attempt to introducerace-conditions in the circuitry at specific times during processing. Anexample of this is where a high clock speed (higher than the circuitryis designed for) may prevent an XOR from working properly, and of thetwo inputs, the first may always be returned. These styles of transientfault attacks can be very efficient at recovering secret keyinformation. The lesson to be learned from this is that the input clocksignal cannot be trusted. Since the input clock signal cannot betrusted, it must be limited to operate up to a maximum frequency. Thiscan be achieved a number of ways.

-   -   In clock filter 80 an edge detect unit 81 passes the edge on to        a delay 82, which in turn enables a gate 83 so that the clock        signal is able to pass from the input port 84 to the output 85.    -   FIG. 8 shows the Clock Filter.

The delay should be set so that the maximum clock speed is a particularfrequency (e.g. about 4 MHz). Note that this delay is notprogrammable—it is fixed. The filtered clock signal would be furtherdivided internally as required.

Noise Generator

Each Authentication Chip should contain a noise generator that generatescontinuous circuit noise. The noise will interfere with otherelectromagnetic emissions from the chip's regular activities and addnoise to the I_(dd) signal. Placement of the noise generator is not anissue on an Authentication Chip due to the length of the emissionwavelengths. The noise generator is used to generate electronic noise,multiple state changes each clock cycle, and as a source ofpseudo-random bits for the Tamper Prevention and Detection circuitry. Asimple implementation of a noise generator is a 64-bit LFSR seeded witha non-zero number. The clock used for the noise generator should berunning at the maximum clock rate for the chip in order to generate asmuch noise as possible.

Tamper Prevention and Detection Circuitry

A set of circuits is required to test for and prevent physical attackson the Authentication Chip. However what is actually detected as anattack may not be an intentional physical attack. It is thereforeimportant to distinguish between these two types of attacks in anAuthentication Chip:

-   -   where you can be certain that a physical attack has occurred.    -   where you cannot be certain that a physical attack has occurred.        The two types of detection differ in what is performed as a        result of the detection. In the first case, where the circuitry        can be certain that a true physical attack has occurred, erasure        of Flash memory key information is a sensible action. In the        second case, where the circuitry cannot be sure if an attack has        occurred, there is still certainly something wrong. Action must        be taken, but the action should not be the erasure of secret key        information. A suitable action to take in the second case is a        chip RESET. If what was detected was an attack that has        permanently damaged the chip, the same conditions will occur        next time and the chip will RESET again. If, on the other hand,        what was detected was part of the normal operating environment        of the chip, a RESET will not harm the key.

A good example of an event that circuitry cannot have knowledge about,is a power glitch. The glitch may be an intentional attack, attemptingto reveal information about the key. It may, however, be the result of afaulty connection, or simply the start of a power-down sequence. It istherefore best to only RESET the chip, and not erase the key. If thechip was powering down, nothing is lost. If the System is faulty,repeated RESETs will cause the consumer to get the System repaired. Inboth cases the consumable is still intact. A good example of an eventthat circuitry can have knowledge about, is the cutting of a data linewithin the chip. If this attack is somehow detected, it could only be aresult of a faulty chip (manufacturing defect) or an attack. In eithercase, the erasure of the secret information is a sensible step to take.

Consequently each Authentication Chip should have 2 Tamper DetectionLines—one for definite attacks, and one for possible attacks. Connectedto these Tamper Detection Lines would be a number of Tamper Detectiontest units, each testing for different forms of tampering. In addition,we want to ensure that the Tamper Detection Lines and Circuitsthemselves cannot also be tampered with.

At one end of the Tamper Detection Line 90 is a source of pseudo-randombits 91 (clocking at high speed compared to the general operatingcircuitry). The Noise Generator circuit described above is an adequatesource. The generated bits pass through two different paths—one 92carries the original data, and the other 93 carries the inverse of thedata, it having passed through an inverter 94. The wires carrying thesebits are in the layer above the general chip circuitry (for example, thememory, the key manipulation circuitry etc). The wires must also coverthe random bit generator. The bits are recombined at a number of placesvia an XOR gate 95. If the bits are different (they should be), a 1 isoutput, and used by the particular unit (for example, each output bitfrom a memory read should be ANDed with this bit value). The linesfinally come together at the Flash memory Erase circuit, where acomplete erasure is triggered by a 0 from the XOR. Attached to the lineis a number of triggers, each detecting a physical attack on the chip.Each trigger has oversize nMOS transistors, such as 96, attached to GND.The Tamper Detection Line physically goes through these nMOStransistors. If the test fails, the trigger causes the Tamper DetectLine to become 0. The XOR test will therefore fail on either this clockcycle or the next one (on average), thus RESETing or erasing the chip.FIG. 9 illustrates the basic principle of a Tamper Detection Line withits outputs connected to either the Erase or RESET circuitry.

The Tamper Detection Line must go through the drain 100 of an outputtransistor 96 for each test, as illustrated by FIG. 10. It is notpossible to break the Tamper Detect Line since this would stop the flowof 1s and 0s from the random source. The XOR tests would therefore fail.As the Tamper Detect Line physically passes through each test, it is notpossible to eliminate any particular test without breaking the TamperDetect Line.

It is important that the XORs take values from a variety of places alongthe Tamper Detect Lines in order to reduce the chances of an attack.FIG. 11 illustrates the taking of multiple XORs, indicated generally at110, from the Tamper Detect Line to be used in the different parts ofthe chip. Each of these XORs 110 can be considered to be generating aChipOK bit that can be used within each unit or sub-unit.

A sample usage would be to have an OK bit in each unit that is ANDedwith a given ChipOK bit each cycle. The OK bit is loaded with 1 on aRESET. If OK is 0, that unit will fail until the next RESET. If theTamper Detect Line is functioning correctly, the chip will either RESETor erase all key information. If the RESET or erase circuitry has beendestroyed, then this unit will not function, thus thwarting an attacker.The destination of the RESET and Erase line and associated circuitry isvery context sensitive. It needs to be protected in much the same way asthe individual tamper tests. There is no point generating a RESET pulseif the attacker can simply cut the wire leading to the RESET circuitry.The actual implementation will depend very much on what is to be clearedat RESET, and how those items are cleared.

Finally, FIG. 12 shows how the Tamper Lines 120 cover the noisegenerator circuitry 121 of the chip. The generator 121 and NOT gate 122are on one level, while the Tamper Detect Lines 120 run on a level abovethe generator 121.

Protected Memory with Tamper Detection

It is not enough to simply store secret information or program code inFlash memory. The Flash memory and RAM must be protected from anattacker who would attempt to modify (or set) a particular bit ofprogram code or key information. The mechanism used must conform tobeing used in the Tamper Detection Circuitry (described above). Thefirst part of the solution is to ensure that the Tamper Detection Linepasses directly above each Flash or RAM bit. This ensures that anattacker cannot probe the contents of Flash or RAM. A breach of thecovering wire is a break in the Tamper Detection Line. The breach causesthe Erase signal to be set, thus deleting any contents of the memory.The high frequency noise on the Tamper Detection Line also obscurespassive observation.

The second part of the solution for Flash is to use multi-level datastorage, but only to use a subset of those multiple levels for valid bitrepresentations. Normally, when multi-level Flash storage is used, asingle floating gate holds more than one bit. For example, a4-voltage-state transistor can represent two bits. Assuming a minimumand maximum voltage representing 00 and 11 respectively, the two middlevoltages represent 01 and 10. In the Authentication Chip, we can use thetwo middle voltages to represent a single bit, and consider the twoextremes to be invalid states. If an attacker attempts to force thestate of a bit one way or the other by closing or cutting the gate'scircuit, an invalid voltage (and hence invalid state) results.

The second part of the solution for RAM is to use a parity bit. The datapart of the register can be checked against the parity bit (which willnot match after an attack). The bits coming from Flash and RAM cantherefore be validated by a number of test units (one per bit) connectedto the common Tamper Detection Line. The Tamper Detection circuitrywould be the first circuitry the data passes through (thus stopping anattacker from cutting the data lines).

Boot Circuitry for Loading Program Code

Program code should be kept in multi-level Flash instead of ROM, sinceROM is subject to being altered in a non-testable way. A boot mechanismis therefore required to load the program code into Flash memory (Flashmemory is in an indeterminate state after manufacture). The bootcircuitry must not be in ROM—a small state-machine would suffice.Otherwise the boot code could be modified in an undetectable way. Theboot circuitry must erase all Flash memory, check to ensure the erasureworked, and then load the program code. Flash memory must be erasedbefore loading the program code. Otherwise an attacker could put thechip into the boot state, and then load program code that simplyextracted the existing keys. The state machine must also check to ensurethat all Flash memory has been cleared (to ensure that an attacker hasnot cut the Erase line) before loading the new program code. The loadingof program code must be undertaken by the secure Programming Stationbefore secret information (such as keys) can be loaded.

Special Implementation of FETs for Key Data Paths

The normal situation for FET implementation for the case of a CMOSInverter 130, which involves a pMOS transistor 131 combined with an nMOStransistor 132) is shown in FIG. 13.

FIG. 14 is the voltage/current diagram for the CMOS inverter 130. Duringthe transition, there is a small period of time 140 where both the nMOStransistor 132 and the pMOS transistor 131 have an intermediateresistance. The resultant power-ground short circuit causes a temporaryincrease in the current, and in fact accounts for the majority ofcurrent consumed by a CMOS device. A small amount of infrared light isemitted during the short circuit, and can be viewed through the siliconsubstrate (silicon is transparent to infrared light). A small amount oflight is also emitted during the charging and discharging of thetransistor gate capacitance and transmission line capacitance.

For circuitry that manipulates secret key information, such informationmust be kept hidden. An alternative non-flashing CMOS implementation 150should therefore be used for all data paths that manipulate the key or apartially calculated value that is based on the key. The use of twonon-overlapping clocks φ1 and φ2 can provide a non-flashing mechanism.φ1 is connected to a second gate 151 of all nMOS transistors 152, and 42is connected to a second gate 153 of all pMOS transistors 154. Thetransition can only take place in combination with the clock. Since φ1and φ2 are non-overlapping, the pMOS and nMOS transistors will not havea simultaneous intermediate resistance. The setup is shown in FIG. 15and the impedance diagram in FIG. 16.

Finally, regular CMOS inverters can be positioned near criticalnon-Flashing CMOS components. These inverters should take their inputsignal from the Tamper Detection Line above. Since the Tamper DetectionLine operates multiple times faster than the regular operatingcircuitry, the net effect will be a high rate of light-bursts next toeach non-Flashing CMOS component. Since a bright light overwhelmsobservation of a nearby faint light, an observer will not be able todetect what switching operations are occurring in the chip proper. Thisarrangement is conceptually illustrated in FIG. 17 with the noisegenerator 121, tamper detection line 120, regular CMOS inverter 130 andnon-flashing CMOS component 150. These regular CMOS inverters will alsoeffectively increase the amount of circuit noise, reducing the SNR andobscuring useful EMI.

There are a number of side effects due to the use of non-Flashing CMOS:

-   -   The effective speed of the chip is reduced by twice the rise        time of the clock per clock cycle. This is not a problem for an        Authentication Chip.    -   The amount of current drawn by the non-Flashing CMOS is reduced        (since the short circuits do not occur). However, this is offset        by the use of regular CMOS inverters.    -   Routing of the clocks increases chip area, especially since        multiple versions of φ1 and φ2 are required to cater for        different levels of propagation. The estimation of chip area is        double that of a regular implementation.    -   Design of the non-Flashing areas of the Authentication Chip are        slightly more complex than to do the same with a with a regular        CMOS design. In particular, standard cell components cannot be        used, making these areas full custom. This is not a problem for        something as small as an Authentication Chip, particularly when        the entire chip does not have to be protected in this manner.        Connections in Polysilicon Layers where Possible

Wherever possible, the connections along which the key or secret dataflows, should be made in the polysilicon layers. Where necessary, theycan be in metal 1, but must never be in the top metal layer (containingthe Tamper Detection Lines).

OverUnderPower Detection Unit

Each Authentication Chip requires an OverUnderPower Detection Unit toprevent Power Supply Attacks. An OverUnderPower Detection Unit detectspower glitches and tests the power level against a Voltage Reference toensure it is within a certain tolerance. The Unit contains a singleVoltage Reference and two comparators. The OverUnderPower Detection Unitwould be connected into the RESET Tamper Detection Line, thus causing aRESET when triggered. A side effect of the OverUnderPower Detection Unitis that as the voltage drops during a power-down, a RESET is triggered,thus erasing any work registers.

No Test Circuitry

Test hardware on an Authentication Chip could very easily introducevulnerabilities. As a result, the Authentication Chip should not containany BIST or scan paths. The Authentication Chip must therefore betestable with external test vectors. This should be possible since theAuthentication Chip is not complex.

Reading ROM

This attack depends on the key being stored in an addressable ROM. Sinceeach Authentication Chip stores its authentication keys in internalFlash memory and not in an addressable ROM, this attack is irrelevant.

Reverse Engineering the Chip

Reverse engineering a chip is only useful when the security ofauthentication lies in the algorithm alone. However our AuthenticationChips rely on a secret key, and not in the secrecy of the algorithm. Ourauthentication algorithm is, by contrast, public, and in any case, anattacker of a high volume consumable is assumed to have been able toobtain detailed plans of the internals of the chip. In light of thesefactors, reverse engineering the chip itself, as opposed to the storeddata, poses no threat.

Usurping the Authentication Process

There are several forms this attack can take, each with varying degreesof success. In all cases, it is assumed that a clone manufacturer willhave access to both the System and the consumable designs. An attackermay attempt to build a chip that tricks the System into returning avalid code instead of generating an authentication code. This attack isnot possible for two reasons. The first reason is that SystemAuthentication chips and Consumable Authentication Chips, althoughphysically identical, are programmed differently. In particular, the RDopcode and the RND opcode are the same, as are the WR and TST opcodes. ASystem authentication Chip cannot perform a RD command since every callis interpreted as a call to RND instead. The second reason this attackwould fail is that separate serial data lines are provided from theSystem to the System and Consumable Authentication Chips. Consequentlyneither chip can see what is being transmitted to or received from theother. If the attacker builds a clone chip that ignores WR commands(which decrement the consumable remaining), Protocol 3 ensures that thesubsequent RD will detect that the WR did not occur. The System willtherefore not go ahead with the use of the consumable, thus thwartingthe attacker. The same is true if an attacker simulates loss of contactbefore authentication—since the authentication does not take place, theuse of the consumable doesn't occur. An attacker is therefore limited tomodifying each System in order for clone consumables to be accepted.

Modification of System

The simplest method of modification is to replace the System'sAuthentication Chip with one that simply reports success for each callto TST. This can be thwarted by System calling TST several times foreach authentication, with the first few times providing false values,and expecting a fail from TST. The final call to TST would be expectedto succeed. The number of

false calls to TST could be determined by some part of the returnedresult from RD or from the system clock. Unfortunately an attacker couldsimply rewire System so that the new System clone authentication chipcan monitor the returned result from the consumable chip or clock. Theclone System Authentication Chip would only return success when thatmonitored value is presented to its TST function. Clone consumablescould then return any value as the hash result for RD, as the cloneSystem chip would declare that value valid. There is therefore no pointfor the System to call the System Authentication Chip multiple times,since a rewiring attack will only work for the System that has beenrewired, and not for all Systems. A similar form of attack on a Systemis a replacement of the System ROM. The ROM program code can be alteredso that the Authentication never occurs. There is nothing that can bedone about this, since the System remains in the hands of a consumer. Ofcourse this would void any warranty, but the consumer may consider thealteration worthwhile if the clone consumable were extremely cheap andmore readily available than the original item.

The System/consumable manufacturer must therefore determine how likelyan attack of this nature is. Such a study must include given the pricingstructure of Systems and Consumables, frequency of System service,advantage to the consumer of having a physical modification performed,and where consumers would go to get the modification performed. Thelimit case of modifying a system is for a clone manufacturer to providea completely clone System which takes clone consumables. This may besimple competition or violation of patents. Either way, it is beyond thescope of the Authentication Chip and depends on the technology orservice being cloned.

Direct Viewing of Chip Operation by Conventional Probing

In order to view the chip operation, the chip must be operating.However, the Tamper Prevention and Detection circuitry covers thosesections of the chip that process or hold the key. It is not possible toview those sections through the Tamper Prevention lines. An attackercannot simply slice the chip past the Tamper Prevention layer, for thiswill break the Tamper Detection Lines and cause an erasure of all keysat power-up. Simply destroying the erasure circuitry is not sufficient,since the multiple ChipOK bits (now all 0) feeding into multiple unitswithin the Authentication Chip will cause the chip's regular operatingcircuitry to stop functioning. To set up the chip for an attack, then,requires the attacker to delete the Tamper Detection lines, stop theErasure of Flash memory, and somehow rewire the components that reliedon the ChipOK lines. Even if all this could be done, the act of slicingthe chip to this level will most likely destroy the charge patterns inthe non-volatile memory that holds the keys, making the processfruitless.

Direct Viewing of the Non-Volatile Memory

If the Authentication Chip were sliced so that the floating gates of theFlash memory were exposed, without discharging them, then the keys couldprobably be viewed directly using an STM or SKM. However, slicing thechip to this level without discharging the gates is probably impossible.Using wet etching, plasma etching, ion milling, or chemical mechanicalpolishing will almost certainly discharge the small charges present onthe floating gates. This is true of regular Flash memory, but even moreso of multi-level Flash memory.

Viewing the Light Bursts Caused by State Changes

All sections of circuitry that manipulate secret key information areimplemented in the non-Flashing CMOS described above. This prevents theemission of the majority of light bursts. Regular CMOS inverters placedin close proximity to the non-Flashing CMOS will hide any faintemissions caused by capacitor charge and discharge. The inverters areconnected to the Tamper Detection circuitry, so they change state manytimes (at the high clock rate) for each non-Flashing CMOS state change.

Monitoring EMI

The Noise Generator described above will cause circuit noise. The noisewill interfere with other electromagnetic emissions from the chip'sregular activities and thus obscure any meaningful reading of internaldata transfers.

Viewing I_(dd) Fluctuations

The solution against this kind of attack is to decrease the SNR in theI_(dd) signal. This is accomplished by increasing the amount of circuitnoise and decreasing the amount of signal. The Noise Generator circuit(which also acts as a defense against EMI attacks) will also causeenough state changes each cycle to obscure any meaningful information inthe I_(dd) signal. In addition, the special Non-Flashing CMOSimplementation of the key-carrying data paths of the chip preventscurrent from flowing when state changes occur. This has the benefit ofreducing the amount of signal.

Differential Fault Analysis

Differential fault bit errors are introduced in a non-targeted fashionby ionization, microwave radiation, and environmental stress. The mostlikely effect of an attack of this nature is a change in Flash memory(causing an invalid state) or RAM (bad parity). Invalid states and badparity are detected by the Tamper Detection Circuitry, and cause anerasure of the key. Since the Tamper Detection Lines cover the keymanipulation circuitry, any error introduced in the key manipulationcircuitry will be mirrored by an error in a Tamper Detection Line. Ifthe Tamper Detection Line is affected, the chip will either continuallyRESET or simply erase the key upon a power-up, rendering the attackfruitless. Rather than relying on a non-targeted attack and hoping that“just the right part of the chip is affected in just the right way”, anattacker is better off trying to introduce a targeted fault (such asoverwrite attacks, gate destruction etc). For information on thesetargeted fault attacks, see the relevant sections below.

Clock Glitch Attacks

The Clock Filter (described above) eliminates the possibility of clockglitch attacks.

Power Supply Attacks

The OverUnderPower Detection Unit (described above) eliminates thepossibility of power supply attacks.

Overwriting ROM

Authentication Chips store Program code, keys and secret information inFlash memory, and not in ROM. This attack is therefore not possible.

Modifying EEPROM/Flash

Authentication Chips store Program code, keys and secret information inFlash memory. However, Flash memory is covered by two Tamper Preventionand Detection Lines. If either of these lines is broken (in the processof destroying a gate) the attack will be detected on power-up, and thechip will either RESET (continually) or erase the keys from Flashmemory. However, even if the attacker is able to somehow access the bitsof Flash and destroy or short out the gate holding a particular bit,this will force the bit to have no charge or a full charge. These areboth invalid states for the Authentication Chip's usage of themulti-level Flash memory (only the two middle states are valid). Whenthat data value is transferred from Flash, detection circuitry willcause the Erasure Tamper Detection Line to be triggered—thereby erasingthe remainder of Flash memory and RESETing the chip. A ModifyEEPROM/Flash Attack is therefore fruitless.

Gate Destruction Attacks

Gate Destruction Attacks rely on the ability of an attacker to modify asingle gate to cause the chip to reveal information during operation.However any circuitry that manipulates secret information is covered byone of the two Tamper Prevention and Detection lines. If either of theselines is broken (in the process of destroying a gate) the attack will bedetected on power-up, and the chip will either RESET (continually) orerase the keys from Flash memory. To launch this kind of attack, anattacker must first reverse-engineer the chip to determine which gate(s)should be targeted. Once the location of the target gates has beendetermined, the attacker must break the covering Tamper Detection line,stop the Erasure of Flash memory, and somehow rewire the components thatrely on the ChipOK lines. Rewiring the circuitry cannot be done withoutslicing the chip, and even if it could be done, the act of slicing thechip to this level will most likely destroy the charge patterns in thenon-volatile memory that holds the keys, making the process fruitless.

Overwrite Attacks

An Overwrite Attack relies on being able to set individual bits of thekey without knowing the previous value. It relies on probing the chip,as in the Conventional Probing Attack and destroying gates as in theGate Destruction Attack. Both of these attacks (as explained in theirrespective sections), will not succeed due to the use of the TamperPrevention and Detection Circuitry and ChipOK lines. However, even ifthe attacker is able to somehow access the bits of Flash and destroy orshort out the gate holding a particular bit, this will force the bit tohave no charge or a full charge. These are both invalid states for theAuthentication Chip's usage of the multi-level Flash memory (only thetwo middle states are valid). When that data value is transferred fromFlash detection circuitry will cause the Erasure Tamper Detection Lineto be triggered—thereby erasing the remainder of Flash memory andRESETing the chip. In the same way, a parity check on tampered valuesread from RAM will cause the Erasure Tamper Detection Line to betriggered. An Overwrite Attack is therefore fruitless.

Memory Remanence Attack

Any working registers or RAM within the Authentication Chip may beholding part of the authentication keys when power is removed. Theworking registers and RAM would continue to hold the information forsome time after the removal of power. If the chip were sliced so thatthe gates of the registers/RAM were exposed, without discharging them,then the data could probably be viewed directly using an STM. The firstdefense can be found above, in the description of defense against PowerGlitch Attacks. When power is removed, all registers and RAM arecleared, just as the RESET condition causes a clearing of memory. Thechances then, are less for this attack to succeed than for a reading ofthe Flash memory. RAM charges (by nature) are more easily lost thanFlash memory. The slicing of the chip to reveal the RAM will certainlycause the charges to be lost (if they haven't been lost simply due tothe memory not being refreshed and the time taken to perform theslicing). This attack is therefore fruitless.

Chip Theft Attack

There are distinct phases in the lifetime of an Authentication Chip.Chips can be stolen when at any of these stages:

-   -   After manufacture, but before programming of key    -   After programming of key, but before programming of state data    -   After programming of state data, but before insertion into the        consumable or system    -   After insertion into the system or consumable

A theft in between the chip manufacturer and programming station wouldonly provide the clone manufacturer with blank chips. This merelycompromises the sale of Authentication chips, not anything authenticatedby the Authentication chips. Since the programming station is the onlymechanism with consumable and system product keys, a clone manufacturerwould not be able to program the chips with the correct key. Clonemanufacturers would be able to program the blank chips for their ownSystems and Consumables, but it would be difficult to place these itemson the market without detection. The second form of theft can onlyhappen in a situation where an Authentication Chip passes through two ormore distinct programming phases. This is possible, but unlikely. In anycase, the worst situation is where no state data has been programmed, soall of M is read/write. If this were the case, an attacker could attemptto launch an Adaptive Chosen Text Attack on the chip. The HMAC-SHA1algorithm is resistant to such attacks. The third form of theft wouldhave to take place in between the programming station and theinstallation factory. The Authentication chips would already beprogrammed for use in a particular system or for use in a particularconsumable. The only use these chips have to a thief is to place theminto a clone System or clone Consumable. Clone systems are irrelevant—acloned System would not even require an authentication chip. For cloneConsumables, such a theft would limit the number of cloned products tothe number of chips stolen. A single theft should not create a supplyconstant enough to provide clone manufacturers with a cost-effectivebusiness. The final form of theft is where the System or Consumableitself is stolen. When the theft occurs at the manufacturer, physicalsecurity protocols must be enhanced. If the theft occurs anywhere else,it is a matter of concern only for the owner of the item and the policeor insurance company. The security mechanisms that the AuthenticationChip uses assume that the consumables and systems are in the hands ofthe public. Consequently, having them stolen makes no difference to thesecurity of the keys.

1. A method authenticating a consumable, the consumable including afirst integrated circuit operative to receive data and return the dataencrypted, the method comprising the steps of: receiving a random numberfrom a trusted second integrated circuit; communicating the randomnumber to the first integrated circuit; receiving from the firstintegrated circuit a first message containing the random numberencrypted by the first integrated circuit; receiving from the trustedsecond integrated circuit a second message containing the random numberencrypted by the trusted integrated circuit; comparing the first andsecond messages, the consumable being authentic when the first andsecond messages are the same.
 2. The method according to claim 1 whereincommunication to and from the first and second integrated circuits areinsecure.
 3. The method according to claim 1 further comprising aninitial step of: requesting the random number from the trusted firstintegrated circuit.
 4. The method according to claim 1 furthercomprising the step of: communicating the random number to the trustedsecond integrated circuit when communicating the random number to thefirst integrated circuit.
 5. The method according to claim 1 whereindifferent instances of the trusted second integrated circuit containrandom number generators seeded with different initial values.
 6. Themethod according to claim 1 wherein encryption uses a key stored in therespective integrated circuits.
 7. The method according to claim 6wherein the key is secret.